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Preface 



The International Conference “Foundations of Software Science and Computa- 
tion Structures” (FOSSACS) is a constituent of the “Joint European Conferences 
on Theory and Practice of Software” (ETAPS). The present volume contains the 
contributions to FOSSACS’99, the second conference in this series, which took 
place in Amsterdam. 

As formulated in the call for papers, FOSSACS focusses on “papers which offer 
progress in foundational research with a clear significance for software science. 
A central issue is theories and methods which support the specification, trans- 
formation, verification, and analysis of programs and software systems.” The 
articles in this volume represent a wide spectrum of approaches to this general 
aim. In many papers, one finds the study of new concepts and methods which 
are motivated by recent trends (or problems) in the practical use of software and 
information technology. 

The volume contains 18 contributed papers, preceded by three invited papers. 
The first, by M. Abadi, accompanies his “unifying invited lecture” addressed to 
the whole ETAPS audience. The second, by J. Esparza and J. Knoop, contains 
an application of the results presented by J. Esparza in his invited lecture to 
FOSSACS’99. The third summarizes an invited tutorial by D. Sangiorgi pre- 
sented to ETAPS’99. 

The selection of the contributed papers was in the hands of a programme com- 
mittee consisting of R. di Cosmo (Paris), E.A. Emerson (Austin, TX), J. Engel- 
friet (Leiden), H. Ganzinger (Saarbriicken), D. Kozen (Ithaca, NY), B. Jonsson 
(Uppsala), A. Jung (Birmingham), M. Nielsen (Aarhus), T. Nipkow (Munich), 
D. Niwihski (Warsaw), C. Palamidessi (University Park, PA), A. Petit (Cachan), 
C. Stirling (Edinburgh), and W. Thomas (Aachen, chair). From 40 submis- 
sions, 18 were selected in a procedure which consisted of an e-mail discussion 
and a physical meeting in Aachen. Four members were present at this meeting 
(H. Ganzinger, B. Jonsson, A. Petit, W. Thomas); the others were contacted 
by e-mail in individual cases and provided with intermediate summaries of the 
discussion. I would like to thank all members of the programme committee and 
all subreferees for their diligent work and efficient cooperation. Special thanks 
go to Marianne Kuckertz and Jesper G. Henriksen for their excellent support 
regarding secretarial work and the electronic infrastructure and communication. 



Aachen, January 1999 



Wolfgang Thomas 

FOSSAGS’99 Programme Gommittee Ghair 
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Foreword 



ETAPS’99 is the second instance of the European Joint Conferences on Theory 
and Practice of Software. ETAPS is an annual federated conference that was 
established in 1998 by combining a number of existing and new conferences. 
This year it comprises five conferences (EOSSACS, EASE, ESOP, CC, TACAS), 
four satellite workshops (CMOS, AS, WAGA, CoEI), seven invited lectures, two 
invited tutorials, and six contributed tutorials. 

The events that comprise ETAPS address various aspects of the system de- 
velopment process, including specification, design, implementation, analysis and 
improvement. The languages, methodologies and tools which support these ac- 
tivities are all well within its scope. Different blends of theory and practice are 
represented, with an inclination towards theory with a practical motivation on 
one hand and soundly-based practice on the other. Many of the issues involved 
in software design apply to systems in general, including hardware systems, and 
the emphasis on software is not intended to be exclusive. 

ETAPS is a loose confederation in which each event retains its own identity, 
with a separate programme committee and independent proceedings. Its format 
is open-ended, allowing it to grow and evolve as time goes by. Contributed talks 
and system demonstrations are in synchronized parallel sessions, with invited 
lectures in plenary sessions. Two of the invited lectures are reserved for “unify- 
ing” talks on topics of interest to the whole range of ETAPS attendees. As an 
experiment, ETAPS’99 also includes two invited tutorials on topics of special 
interest. The aim of cramming all this activity into a single one-week meeting 
is to create a strong magnet for academic and industrial researchers working on 
topics within its scope, giving them the opportunity to learn about research in 
related areas, and thereby to foster new and existing links between work in areas 
that have hitherto been addressed in separate meetings. 

ETAPS’99 has been organized by Jan Bergstra of CWI and the University of 
Amsterdam together with Erans Snijders of CWI. Overall planning for ETAPS’99 
was the responsibility of the ETAPS Steering Committee, whose current mem- 
bership is: 

Andre Arnold (Bordeaux), Egidio Astesiano (Genoa), Jan Bergstra (Am- 
sterdam), Ed Brinksma (Enschede), Ranee Cleaveland (Stony 
Brook), Pierpaolo Degano (Pisa), Hartmut Ehrig (Berlin), Jose Eiadeiro 
(Lisbon), Jean-Pierre Einance (Nancy), Marie-Claude Gaudel (Paris), 
Susanne Graf (Grenoble), Stefan Jahnichen (Berlin), Paul Klint (Ams- 
terdam), Kai Koskimies (Tampere), Tom Maibaum (London), Ugo 
Montanari (Pisa), Hanne Riis Nielson (Aarhus), Eernando Orejas 
(Barcelona), Don Sannella (Edinburgh), Gert Smolka (Saarbriicken), 
Doaitse Swierstra (Utrecht), Wolfgang Thomas (Aachen), Jerzy Tiuryn 
(Warsaw), David Watt (Glasgow) 
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Foreword 



ETAPS’98 has received generous sponsorship from: 

KPN Research 
Philips Research 

The EU programme “Training and Mobility of Researchers” 

CWI 

The University of Amsterdam 

The European Association for Programming Languages and Systems 
The European Association for Theoretical Computer Science 

I would like to express my sincere gratitude to all of these people and orga- 
nizations, the programme committee members of the ETAPS conferences, the 
organizers of the satellite events, the speakers themselves, and finally Springer- 
Verlag for agreeing to publish the ETAPS proceedings. 

Edinburgh, January 1999 Donald Sannella 

ETAPS Steering Committee Chairman 
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Security Protocols and Specifications 



Martin Abadi 
maOpa. dec . com 

Systems Research Center 
Compaq 



Abstract. Specifications for security protocols range from informal nar- 
rations of message flows to formal assertions of protocol properties. This 
paper (intended to accompany a lecture at ETAPS ’99) discusses those 
specifications and suggests some gaps and some opportunities for further 
work. Some of them pertain to the traditional core of the field; others 
appear when we examine the context in which protocols operate. 



1 Introduction 

The method of “security by obscurity” dictates that potential attackers to a 
system should be kept from knowing not only passwords and cryptographic keys 
but also basic information about how the system works, such as the specifica- 
tions of cryptographic algorithms, communication protocols, and access-control 
mechanisms. It has long been argued that “security by obscurity” is usually 
inferior to open design [55,28]. Of course, the value of writing and publishing 
specifications is greater when the specifications are clear, complete, and at an 
appropriate level of abstraction. 

Current specifications of security mechanisms and properties vary greatly in 
quality, scope, purpose, and vocabulary. Some specifications are informal nar- 
rations that mix natural language and ad hoc notations. For example, the doc- 
uments that describe the functioning of security protocols such as SSL [27], 
SSH [63], and IKE [32] often have this style. Other specifications are precise 
mathematical statements, sometimes expressed in formal calculi. These specifi- 
cations have played a particularly significant role in cryptography and crypto- 
graphic protocols, but also appear in other areas, for example in information-flow 
analysis (e.g., [28,22,43,48]). 

Many of these specifications serve as the basis for reasoning, with various 
degrees of rigor and effectiveness, during system design, implementation, and 
analysis. In recent years, there has been much progress in the development of 
techniques for stating and proving properties about small but critical security 
components. For example, a substantial and successful body of work treats the 
core messages of security protocols and the underlying cryptographic functions. 
In this area, theory has been relevant to practice, even in cases where the theory 
is simplistic or incomplete. There seems to have been less progress in treating 
more complex systems [56], even those parts in the vicinity of familiar security 

W. Thomas (Ed.): FOSSACS’99, LNCS 1578, pp. 1-13, 1999. 
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mechanisms. For example, we still have only a limited understanding of many of 
the interfaces, prologues, and epilogues of practical security protocols. 

In this paper, we discuss specifications in the field of security, focusing on 
protocol specifications. We examine specifications of several sorts: 

— In section 2, we consider specifications that concern the step-by-step be- 
havior of a protocol. Such specifications can be largely independent of any 
assumptions or intended effects of the protocol. 

— In section 3, we consider properties of protocols, in particular authentic- 
ity and secrecy properties, but also more exotic properties. We emphasize 
secrecy properties. 

— In section 4, we view protocols in context by discussing their boundaries. 
These boundaries include programming interfaces, protocol negotiation, and 
error handling. 

This paper is an informal, partial overview, and does not advocate any particular 
methods for specification and verification. Occasionally, however, the spi calcu- 
lus [6] serves in explanations of formal points. In addition, the paper suggests 
some gaps and some opportunities for further work. The subject of this paper 
seems to be reaching maturity, but also expanding. There is still much scope for 
applying known techniques to important protocols, for developing simpler tech- 
niques, for exploring the foundations of those techniques, and also for studying 
protocols in context, as parts of systems. 

2 Protocol narrations 

The most common specifications are mere narrations of protocol executions. 
These narrations focus on the “bits on the wire” : they say what data the various 
participants in a protocol should send in order to communicate. They are some- 
times simple, high-level descriptions of sequences of messages, sometimes more 
detailed documents that permit the construction of interoperable implementa- 
tions. 

Following Needham and Schroeder [52], we may write a typical pair of mes- 
sages of a protocol thus: 

Message 1 B : 

Message 2 B ^ A: {Na,Nb}kab 

Here A and B represent principals (users or computers). In Message 1, A sends 
to B an encrypted message, with key Kab and cleartext IS a- In Message 2, 
B responds with a similar message, including Nb in the cleartext. The braces 
represent the encryption operation, in this case using a symmetric cryptosystem 
such as DES [48]. The subscripts on Kab, Ka, and Nb are merely hints. It may 
be understood that A and B both know the key Kab in advance and that A 
and B freshly generate Na and Nb respectively, so Na and Nb serve as nonces. 

As Bob Morris has pointed out [7], the notation “Message ii X ^ Y : M” 
needs to be interpreted with care, because security protocols are not intended 
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to operate in benign environments. The network between A and V may be 
unreliable and even hostile; X and Y themselves may not deserve total trust. 
So we may interpret “Message n X ^ Y : M” only as “the protocol designer 
intended that X send M as the nth message in the protocol, and for it to 
be received by T”. One may want additional properties of this message, for 
example that only Y receive it or that Y should know that this message is part 
of a particular protocol execution; however, such properties cannot be taken for 
granted. 

A sequence of messages is not a complete description of a protocol; it must 
be complemented with explanations of other forms. Protocol narrations often 
give some but not all of these explanations. 

— As done above, a specification should say which pieces of data are known to 
principals in advance and which are freshly generated. 

— A specification should also say how principals check the messages that they 
receive. For example, after receipt of Message 2, principal A may be expected 
to check that it is encrypted under Kab and that the first component of its 
cleartext is the nonce Na sent in Message 1. If this check fails, A may ignore 
the message or report an error. (Section 4 discusses errors further.) Checks 
are an essential part of protocols. For example, the absence of a check in 
the CCITT X.509 protocol [18] allowed an attack [16]; other attacks arise 
when principals assume that the messages that they receive have particular 
forms [9]. 

— The emission of Message n+1 follows the reception of Message n only in 
the simplest protocols. In general, a protocol may allow multiple messages 
belonging to the same session to be in flight simultaneously. The constraints 
on the order of messages in SSL have often been misunderstood [60]. Other 
complex protocols may be similarly confusing. 

— As a convention, it is generally assumed that many protocol executions may 
happen simultaneously, and that the same principal may participate in sev- 
eral such executions, possibly playing different roles in each of them. This 
convention has exceptions, however. For example, some protocols may re- 
strict concurrency in order to thwart attacks that exploit messages from 
two simultaneous executions. In addition, some roles are often reserved for 
fixed principals — for example, the name S may be used for a fixed authen- 
tication server. A complete specification should not rely on unclear, implicit 
conventions about concurrency and roles. 

These limitations are widely recognized. They have been addressed in approaches 
based on process calculi (e.g., [41, 6, 47, 38, 57]) and other formal descriptions of 
processes (e.g., [53,58]). The process calculi include established process calculi, 
such as CSP, and others specifically tailored for security protocols. Here we 
sketch how protocols are described in the spi calculus [6]; descriptions in other 
process calculi would have similar features. 

The spi calculus is an extension of the pi calculus [50] with primitives for 
cryptographic operations. Spi-calculus processes can represent principals and 
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sets of principals. For example, the process: 

{iyKAB){PA\PB) 

may represent a system consisting of two principals, playing the roles of A and 
B as described above, in a single execution of the protocol. The construct 1 / is 
the standard restriction binder of the pi calculus; here it binds a key Kab, which 
will occur in Pa and construct | is the standard parallel-composition 

operation of the pi calculus. Finally, Pa and Pb are two processes. The process 
Pb may be: 

c{x).case x of ‘‘-n {i^NB)c{{y, Nb}kab) 

Informally, the components of this process have the following meanings: 

— c is the name of a channel, which we use to represent the network on which 
the principals communicate. 

— c(x) awaits a message on c. When a message is received, the bound variable 
X is instantiated to this message. The expected message in this example is 
{^a}kab- 

— case X of {v}kab attempts to decrypt x using 

the key Kab- If x is a term of the form then the bound vari- 

able y is instantiated to the contents M, and the remainder of the process 
{{BNB)c{{y,NB}KAB)) is executed. 

— {vNb) generates Nb- 

— 'c{{y,N b}kab) sends {M , N b} Kab where M is the term to which y 

has been instantiated. 

The syntax of the spi calculus distinguishes names (such as c, Kab, and Nb) 
from variables (x and y), and processes (active entities) from terms (data that 
can be sent in messages). We refer to previous papers for the details of this 
syntax. We also omit a definition of Pa', it is similar in style to that of Pb- 
Since the spi calculus is essentially a programming language, it is a matter of 
programming to specify the generation of data, checks on messages, concurrency, 
and replication. For these purposes, we can usually employ standard constructs 
from the pi calculus, but we may also add constructs when those seem inadequate 
(for example, for representing number-theoretic checks). In particular, we can 
use the 1 / construct for expressing the generation of keys, nonces, and other data. 
For example, the name Nb bound with v in Pb represents the piece of data that 
B generates. On the other hand, the free names of Pb (namely c and Kab) 
represent the data that B has before the protocol execution. 

Thus, specifications in the spi calculus and other formal notations do not 
suffer from some of the ambiguities common in informal protocol narrations. 
Moreover, precise specifications need not be hard to construct: in recent work, 
Lowe, Millen, and others have studied how to turn sequences of messages into 
formal specifications [47]. To date, however, formal specifications do not seem to 
have played a significant role for protocol implementations. Their main use has 
been for reasoning about the properties of protocols; those properties are the 
subject of the next section. 
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3 Protocol properties 

Although the execution of a protocol may consist in sending bits on wires, the 
bits have intended meanings and goals. These meanings and goals are not always 
explicit or evident in protocol narrations (cf. [7]). 

There is no universal interpretation for protocols. Two usual objectives are to 
guarantee authenticity and secrecy of communications: only the intended prin- 
cipals can send and receive certain pieces of data. Other objectives include for- 
ward secrecy [24], non-repudiation, and availability. Some objectives contradict 
others. For example, some protocols aim to guarantee anonymity rather than au- 
thenticity, or plausible deniability [54] rather than non-repudiation. Moreover, 
many definitions have been proposed even for such basic concepts as authenticity 
(e.g., [11,30,42,3]). 

Nevertheless, there are some common themes in the treatment of protocol 
properties. 

— The participants in security protocols do not operate in a closed world, but 
in communication with other principals. Some of those principals may be 
hostile, and even the participants may not be fully trusted. Thus, interaction 
with an uncertain environment is crucial. 

— Security properties are relative to the resources of attackers. Moreover, it 
is common to attempt to guarantee some properties even if the attackers 
can accomplish some unlikely feats. For example, although precautions may 
be taken to avoid the compromise of session keys, an attacker might obtain 
one of those keys. A good protocol design will minimize the effect of such 
events. In particular, certificates for keys should expire [23]; and when one 
key is expiring, it should not be used for encrypting the new key that will 
replace it. 

— It is common to separate essential security properties from other properties 
such as functional correctness and performance. For example, one may wish 
to establish that messages between a client and a server are authentic, even 
if one cannot prove that the server’s responses contain the result of applying 
a certain function to the client’s requests. 

Protocol properties have been expressed and proved in a variety of frame- 
works. Some of these frameworks are simple and specialized [16], others powerful 
and general. A frequent, effective approach consists in formulating properties as 
predicates on the behaviors (sequences of states or events) of the system con- 
sisting of a protocol and its environment (e.g., [62, 11, 31, 41, 51, 53, 14, 57]). For 
example, in the simple dialogue between A and B shown in section 2, the au- 
thenticity of the second message may be expressed thus: 

If A receives a message encrypted under Kab, and the message contains 
a pair JMa, N b where Na is a nonce that A generated, then B has sent 
the message sometime after the generation of Na- 

Once properly formalized, this statement is either true or false for any particular 
behavior. Such predicates on behaviors have been studied extensively in the 
literature on concurrency (e.g., [8,36]). 
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A richer view of authenticity also takes into account concepts such as author- 
ity and delegation [29, 37], Those concepts appear, for example, when we weaken 
the authenticity statement by allowing B to delegate the task of communicating 
with A and the necessary authority for this task. However, it is still unclear how 
to integrate those concepts with predicates on behaviors. 

Furthermore, some security properties — such as noninterference — are not 
predicates on behaviors [44,45]. For instance, suppose that we wish to require 
that a protocol preserve the secrecy of one of its parameters, x. The protocol 
should not leak any information about x — in other words, the value of x should 
not interfere with the behavior of the protocol that the environment can ob- 
serve. The parameter x may denote the identity of one of the participants or the 
sensitive data that is sent encrypted after a key exchange. In general, we cannot 
express this secrecy property as a predicate on behaviors. On the other hand, 
representing the protocol as a process B{x), we may express the secrecy prop- 
erty by saying that P[M) and B{1S) are equivalent (or indistinguishable), for all 
possible values M and N for x (cf. [59, 33]). Here we say that two processes Pi 
and P 2 are equivalent when no third process Q can distinguish running in par- 
allel with Pi from running in parallel in P 2 . This notion of process equivalence 
(testing equivalence) has been applied to several classes of processes and with 
several concepts of distinguishability, sometimes allowing complexity-theoretic 
arguments (e.g., [21, 15,6,38]). Now focusing on the spi calculus, we obtain one 
definition of secrecy: 

Definition 1 (One definition of secrecy). Suppose that the proeess P[x) has 
at most X as free variable. Then P preserves the secrecy ofx if P[M) and P{JS) 
are equivalent for all terms M and N without free variables. 

For example, the process (i^A)c({x}ic ), which sends x encrypted under a fresh 
key A on a channel c, preserves the secrecy of x. Previous papers on the spi 
calculus [6, 1] contain more substantial examples to which this concept of secrecy 
applies. 

Approaches based on predicates on behaviors rely on a rather different defi- 
nition of secrecy, which can be traced back to the influential work of Dolev and 
Yao [26] and other early work in this area [35,49,46]. According to that defini- 
tion, a process preserves the secrecy of a piece of data M if the process never 
sends M in clear on the network, or an 3 dhing that would permit the computation 
of M , even in interaction with an attacker. 

Next we show one instantiation of this general definition, again resorting to 
the spi calculus. For this purpose, we introduce the following notation from the 
operational semantics of the spi calculus; throughout, P and Q are processes, M 
is a term, m, mi, . . . , rnk are names, and x is a variable. 

— P — ^ Q means that P becomes Q in one silent step (a t step). 

— P Atp (x)Q means that, in one step, P is ready to receive an input x on m 
and then to become Q. 

— P [vmi, . . . , mk){M )Q means that, in one step, P is ready to create the 
new names mi, . . . , mk^ to send M on m, and then to become Q. 
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We represent the state of knowledge of the environment of a process by a set 
of terms S with no free variables (intuitively, a set of terms that the environment 
has). Given a set S', we define C[S) to be the set of all terms computable from 
S, with the properties that S C C{S) and C{C{S)) = C{S); thus, (7 is a closure 
operator. The main rules for computing C[S) concern encryption and decryption: 

- if M G C{S) and N e C(S) then {M}n € C{S); 

- if {M}n e C{S) and N e C{S) then M G C{S). 

Straightforward rules concern terms of other forms, for example pairs: 

- if M G C{S) and N G C{S) then {M,N) e C(S); 

- if (M, N) G C(S) then M G C(S) and N G C(S). 

Given a set of terms Sq and a process Tqj we let R be the least relation such 
that: 



— R{^o,So). 

— If R{P, S) and F — Q then R{Q, S). 

— If R{P, S) and P {x)Q and m G C[S) and M G C[S) then R[Q[M /x], S). 

— If R{P, S) and P {vrai , . . . , mk){M)Q and m G C[S) and mi, . . . , nik 
do not occur in S then R{Q, S U {M})- 

Intuitively, R[P,S) means that, if the environment starts interacting with pro- 
cess To knowing Sq, then the environment may know S (and all terms computable 
from it, G(S)) when Pq evolves to P. The environment may know some names 
initially, but it does not create more names along the way. The first clause in 
this definition sets the initial state of the interaction. The second one is for silent 
steps. The third one deals with a message from the environment to the process; 
the environment must know the message’s channel name m and contents M . 
The fourth one deals with a message in the opposite direction; assuming that 
the environment knows the message’s channel name m, it learns the message’s 
contents M ; some new names m-i , , nik may occur in M. 

We arrive at the following alternative view of secrecy: 

Definition 2 (Another definition of secrecy). Suppose that S is a set of 

terms with no free variables, and P a proeess with no free variables. Suppose that 
the free names of M are not bound in P or any process into which P evolves. 
Let R be the relation associated with P and S. Then P may reveal M from S if 
there exist P' and S" such that R{PfS’) and M G G(S"); and P preserves the 
secrecy of M from S otherwise. 

We do not have much experience with this definition of secrecy for the spi cal- 
culus. It is a somewhat speculative translation of definitions proposed in other 
settings. 

By presenting both definitions of secrecy in the same framework, we are in a 
position to compare them and understand them better. We can immediately see 
that, unfortunately, neither definition of secrecy implies the other: the first one 
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concerns a process with a free variable x, while the second one concerns a pro- 
cess plus a set of terms with no free variables. There are also deeper differences 
between them: in particular, the first definition rules out implicit information 
flows [22], while the second one does not. We leave for further work explain- 
ing when one definition is appropriate and when the other, and finding useful 
relations between them. 

Both of these definitions of secrecy rely on a simple, abstract representation 
of cryptographic functions. More detailed accounts of cryptography may include 
complexity-theoretic assumptions about those functions (e.g., [43]). Another, 
challenging subject for further work is bridging the gap between those treat- 
ments of cryptography. For instance, we may wonder whether the complexity- 
theoretic assumptions justify our definitions of secrecy. Analogous questions arise 
for definitions of authenticity. 

4 Protocol boundaries 

Often the specification of a protocol and its verification focus on the core of 
the protocol and neglect its boundaries. However, these boundaries are far from 
trivial; making them explicit and analyzing them is an important part of under- 
standing the protocol in context. These boundaries include: 

(1) interfaces and rules for proper use of the protocol, 

(2) interfaces and assumptions for auxiliary functions and participants, such as 
cryptographic algorithms and network services, 

(3) traversals of machine and network boundaries, 

(4) preliminary protocol negotiations, 

(5) error handling. 

We discuss these points in more detail next. 

(1) Whereas narrations may say what data the various principals in a protocol 
should send, they seldom explain how the principals may generate and use 
that data. On the other hand, the good functioning of the protocol may 
require that some pieces of data be unrelated (for example, a cleartext and 
the key used to encrypt it). Other pieces of data (typically session keys, but 
sometimes also nonces) may need to remain secret for some period of time. 
Furthermore, as a result of an execution of the protocol, the participants 
may obtain some data with useful properties. For instance, the protocol may 
yield a key that can be used for signing application messages. Application 
program interfaces (or even programming languages) should allow applica- 
tions to exploit those useful properties, with clear, modular semantics, and 
without revealing tricky low-level cryptographic details (e.g., [12,40,39,61, 
2,5,10]). 

(2) Some protocols rely on fixed suites of cryptosystems. In other cases, as- 
sumptions about the properties of cryptographic operations are needed. For 
example, in the messages of section 2, it may be important to say whether B 




Security Protocols and Specifications 



9 



can tell that A encrypted using K/^b- This property may hold because 
of redundancy in IS a or in the encryption function, and would not hold if 
any message of the appropriate size is the result of encrypting some valid 
nonce with Kab- It may also be important to say that B is not capable of 
making {Na,Nb}kab from {Na}kab ^’^‘I without Kab- This property 
is a form of non-malleability [25], In recent years, the literature on protocols 
has shown an increasing awareness of subtle cryptographic issues; it may be 
time for some principled simplification. 

Similarly, protocols often rely on network time servers, trusted third parties, 
and other auxiliary participants. Detailed assumptions about these servers 
are sometimes absent from protocol narrations, but they are essential in 
reasoning about protocols. 

(3) Protocol messages commonly go across network interfaces, firewalls with 
tunnels, and administrative frontiers (e.g., [12,61,20,19,4]). In some con- 
texts (e.g., [17]), even the protocol participants may be mobile. These traver- 
sals often require message translations (for example, marshaling and rewrit- 
ing of URLs). They are subject to filtering and auditing. Furthermore, they 
may trigger auxiliary protocols. Some of these traversals seem to be a grow- 
ing concern in protocol design. 

(4) Systems often include multiple protocols, each of them with multiple ver- 
sions and options. Interactions between protocols can lead to flaws; they can 
be avoided by distinguishing the messages that correspond to each proto- 
col (e.g., [7,34]). Before executing a protocol (in a particular version, with 
particular options) the participants sometimes agree to do so by a process 
of negotiation in which they may consider alternatives. The alternatives can 
vary in their levels of security and efficiency. In protocols such as SSL, this 
process of negotiation is rather elaborate and error-prone [60] . Despite clear 
narrations, it offers unclear guarantees. 

(5) As discussed in section 2, protocol specifications often do not explain how 
principals react when they perceive errors. Yet proper handling of errors 
can be crucial to system security. For example, in describing attacks on 
protocols based on RSA’s PKCS 41^1 standard [13], Bleichenbacher reported 
that the SSL documentation does not clearly specify error conditions and 
the resulting alert messages, and that SSL implementations vary in their 
handling of errors. He concluded that even sending out an error message may 
sometimes be risky and that the timing of the checks within the protocol is 
crucial. 

The intrinsic properties of a protocol, such as the secrecy of session keys, 
are worthy of study. However, these intrinsic properties should eventually be 
translated into properties meaningful for the clients of the protocol. These clients 
may want security, but they may not be aware of internal protocol details (such 
as session keys) and may not distinguish the protocol from the sophisticated 
mechanisms that support it and complement it. Therefore, specification and 
reasoning should concern not only the core of the protocol in isolation but also 
its boundaries, viewing the protocol as part of a system. 
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theoretic approach to model-checking beyond the class of finite-state 
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1 Introduction 

Recent work [15,24] has shown that model-checking algorithms for abstract 
classes of infinite-state systems, like context-free processes [1, 5] and pushdown 
processes [6], find a natural application in the area of data-flow analysis (DFA) 
for programming languages with procedures [16], usually called interprocedural 
DFA. A large variety of DFA problems, whose solution is required by optimis- 
ing compilers in order to apply performance improving transformations, can be 
solved by means of a unique model-checking technique. 

The techniques of [5,6] are based on what could be called the flxpoint ap- 
proach to model-checking [24], in which the set of states satisfying a temporal 
property is defined and computed as a flxpoint in an adequate lattice. Some 
years ago, Vardi and \¥olper presented in a seminal paper [25] an alternative 
automata-theoretic approach in which — loosely speaking — verification problems 
are reduced to the emptyness problem for different classes of automata. This 
approach has had considerable success for finite-state systems, and constitutes 
the theoretical basis of verification algorithms implemented in tools like SPIN 
[13], PROD [26], or PEP [27]. Recently, the approach has also been extended to 
context-free processes and pushdown processes [4, 10], and to other infinite-state 
classes able to model parallelism [18]. 

The goal of this paper is to show that the techniques derived from these 
recent developments can also be applied to DFA. We provide solutions for the 
interprocedural versions of a number of important DFA problems, starting with 
the class of so-called bitvector problems. On the one hand, the structural simplic- 
ity of these problems allows us a gentle way of introducing our approach. On the 
other hand, these problems are quite important as they are the prerequisite of 
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numerous optimisations like partially redundant expression elimination, partially 
redundant assignment elimination, partially dead code elimination, and strength 
reduction [23], which are widely used in practice. In detail, we investigate: 

(a) the four problems of Hecht’s taxonomy of bitvector problems [12], 

(b) the computation of faint variables, and 

(c) the problems of (a) for parallel languages. 

In contrast to (a), for which there exist several solutions in the literature, (b) 
and (c) have — to the best of our knowledge — not been considered yet in an 
interprocedural setting; solutions for the intraprocedural case can be found in 
[11, 14] for (b), and in [17] for (c). 

The paper is organised as follows. Section 2 contains an informal introduction 
to DFA, recalls the DFA problems mentioned above, and in particular presents 
the flow graph model. Section 3 gives flow graphs a structured operational se- 
mantics. Sections 4, 5, and 6 present the solutions to the problems (a), (b) and 
(c) above, respectively, and Section 7 contains our conclusions. 



2 Data-flow Analysis 

Intuitively, data-flow analysis (DFA) is concerned with deciding run-time proper- 
ties of programs without actually executing them, i.e., at compile time. Basically, 
the properties considered can be split into two major groups (cf. [12]). Proper- 
ties whose validity at a program point depends on the program’s history, i.e., 
on the program paths reaching it, and properties whose validity depends on the 
program’s future, i.e., on the suffixes of program paths passing it. Both groups 
can further be split into the subgroups of universally and existentially quantified 
properties, i.e., whose validity depends on all or on some paths, respectively. 

Background. Using the standard machinery of DFA (cf. [12]), the validity of 
a property at a program point n is deduced from a data-flow fact computed 
for n. This fact reflects the meaning of the program at n with respect to an 
abstract, simpler version of the “full” program semantics, which is tailored for 
the property under consideration. The theory of abstract interpretation provides 
here the formal foundation (cf. [7-9,19]). In this approach the data-flow facts 
are given by elements of an appropriate lattice, and the abstract semantics of 
statements by transformations on this lattice. The meet-over-all-paths {MOP) 
semantics defines then the reference solution, i.e., the data-flow fact desired for a 
program point n: It is the “meet” (intersection) of all data-flow facts contributed 
by all program paths reaching n. The MQP-semantics is conceptually quite close 
to the program property of interest, but since there can be infinitely many pro- 
gram paths reaching a program point it does not directly lead to algorithms for 
the computation of data-flow facts. Therefore, in the traditional DFA-setting the 
MQP-semantics is approximated by the so-called maximal-fixed-point (MFP) se- 
mantics. It is defined as the greatest solution of a system of equations imposing 
consistency constraints on an annotation of the program points with data-flow 
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facts. The MFF-semantics coincides with its MQP-counterpart when the func- 
tions specifying the abstract semantics of statements are distributive, a result 
known as the Coincidence Theorem. 

Note that the MQP-semantics is defined in terms of possible program ex- 
ecutions. From the point of view of temporal logic this means in a pathwise, 
hence linear time fashion. In contrast, the computation of the MFF-semantics 
proceeds by consistency checks taking the immediate neighbours of a program 
point simultanenously into account. From the point of view of temporal logic 
this means in a tree-like, hence branehing time fashion. Thus, in the traditional 
DFA-setting there is a gap between the reference semantics defining the data-flow 
facts of the program annotation desired (the MQF-semantics) , and the semantics 
the computation of the program annotation with data-flow facts relies on (the 
MFF-semantics). An important feature of the automata-theoretic approach to 
DFA we are going to present here is the absence of a similar separation of con- 
cerns providing in this respect a more natural and conceptually simpler access 
to DFA. 

Flow graphs. In DFA programs are commonly represented by systems of flow 
graphs, where every flow graph represents a procedure of the underlying pro- 
gram. Flow graphs are directed graphs, whose nodes and edges represent the 
statements and the intraprocedural control flow of the procedure represented. 
Usually, control flow is nondeterministically interpreted in order to avoid unde- 
cidabilities. As illustrated in Figure 1(a) and (b), which show the flow graph 
and the flow graph system representing a single procedure and a program with 
procedures, we consider edge-labelled flow graphs, i.e., the edges represent both 
the statements and the control flow, while nodes represent program points. We 
assume that statements are assignments of the form v:= t including the empty 
statement, call statements of the form call U{ti,... , t„), or output operations of 
the form out{t), where u is a variable, IT a procedure identifier, and t,t\,. . . ,t„. 
are terms. 

Bitveetor properties and faint variables. Bitvector properties correspond to struc- 
turally particularly simple DFA-problems, which, simultaneously, are most im- 
portant in practice because of the broad variety of optimisations based on them 
(cf. Section 1). Their most prominent representatives, the availability and very 
busyness of terms, the reaehability of program points by definitions, and the 
liveness of variables, span the complete space of the taxonomy recalled above as 
was shown by Hecht [12]. Intuitively, a term t is available at a program point n, 
if on all program paths reaching n term t is computed without that any of its 
operands is assigned a new value afterwards. Thus, availability is a universally 
quantified history-dependent property. Aery busyness is its dual counterpart. 
A term t is very busy at a program point n, if it is computed on all program 
paths passing n and reaching the end node before any of its operands is assigned 
a new value after leaving n. Hence, very busyness is a universally quantified 
future-dependent property. For illustration consider Figure 1(a), in which the 
program points where a + bis very busy are greyly highlighted. 
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Fig. 1. FI ow graphs and flow graph systems. 

Reaching definitions (for convenience referred to as reachability later) and live 
variables are existentially quantified history- and future-dependent properties. 
Intuitively, a program point n is reached by the definition of a particular edge 
e if there is a program path across e reaching n which after passing e is free of 
definitions of the left-hand side variable of the definition of e. A variable v is live 
at a program point n, if on some program path passing n there is a reference 
to V, which after leaving n is not preceded by a redefinition of v. Conversely, a 
variable is dead at a program point, if it is not live at it. 

This latter property is well-suited in order to illustrate how bitvector proper- 
ties can be used for optimisation. Every assignment whose left-hand side variable 
is dead is “useless,” and can be eliminated because there is no program contin- 
uation on which its left-hand side variable is referenced without a preceding 
redefinition of it. This is known as dead-code elimination. 

Like the bitvector problems recalled above, DFA-problems are often con- 
cerned with sets of program items like terms, variables, or definitions. Charac- 
teristic for bitvector problems, however, is that they are “separable (decompos- 
able):” The validity of a bitvector property for a specific item is independent of 
that of any other item. This leads to particularly simple formulations of bitvector 
problems on sets of items (and implementations in terms of bit vectors). 

Faintness is an example of a program property which lacks the decompos- 
ability property. Intuitively, faintness generalizes the notion of dead variables. 
A variable / is faint at a program point if on all program continuations any 
right-hand side occurrence of / is preceded by a modification of /, or occurs 
in an assignment whose left-hand side variable is faint, too. A simple example 
of a faint but not dead variable is the variable / in the assignment f := f + I, 
assuming that the assignment occurs in a loop without any other occurrence 
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of / elsewhere in the program (cf. Figure 1(a)). Assignments to faint variables 
can be eliminated as useless like those to dead ones. Whereas deadness, how- 
ever, is a bitvector property, faintness is not. It is not separable preventing the 
computation of faintness for a variable in isolation. 

DFA in the interprocedural and parallel setting. DFA is particularly challenging 
in the presence of recursive procedures — because of the existence of potentially 
infinitely many copies of local variables of recursive procedures at run-time — and 
parallel statements — because of the phenomena of interference and synchronisa- 
tion. In the following we illustrate this by means of the programs of Figure 1(b), 
2, and 3 using very busyness of the terms a + b and c + b as example. 

In the example of Figure 1(b), the term c -I- 6 is very busy at the program 
point preceding the recursive call of iTi in procedure iTi, while a + bis not. The 
difference lies in the fact that in the case of a -I- 6 a global operand is modified 
within the recursive call, while it is a local one in the case of c -|- 6 . Thus, very 
busyness of c -|- 6 is not affected because the assignment c := . . . modifies a new 
incarnation of c. In fact, after returning from the procedure call, the incarnation 
of c which has been valid when calling iTi is valid again, and, of course, it has 
not been modified. In contrast, the modification of a affects a global variable, 
and hence, the modification survives the return from the call. Thus, computing 
0 - 1-6 after the recursive call will yield a different value than computing it before 
this call. Similar phenomena can be observed for the other bitvector problems. 
This is illustrated in Figure 2 and Table 1, which summarizes for specific pairs 
of program points and program items the availability, reachability and liveness 
information. In the framework of [16] these obstacles of interprocedural DFA are 
overcome by mimicking the behaviour of the run-time stack by a corresponding 
DFA-stack, and additionally, by keeping track if modifications of operands affect 
a global or a local variable. So-called return functions, which are additionally 
introduced in this setting enlarging the specification of an abstract semantics, 
extract this information from the DFA-informations valid at call time and valid 
immediately before returning from the called procedure, which allows a proper 



U ^ ; VAR a,b,c,d U ^ ; VAR x,y,z U ^ ; VAR u,v,w 




Fig. 2. The sequential interprocedural setting. 
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Point 


Availability 


Reaching Definitions 


a + b 


b + c 


a + X 


b+y 


a: a := 


/?: d: = 


j: Z : = 


5 


tt 


tt 






tt 


tt 




6 


ff 


ff 


— 


— 


ff 


tt 


— 
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tt 
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tt 


tt 
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ff 


ff 
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ff 
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b 


c 


V 


m 


7 


tt 


ff 






8 


ff 


ff 


— 


— 


25 


tt 


ff 


tt 


ff 


26 


tt 


ff 


tt 


ff 



Table 1. Values of some bitvector problems. 



treatment of programs with both local and global variables. In this paper we 
present a different approach to this problem. 

Consider now Figure 3, and imagine that the three procedures shown in 
(a) are embedded either into a sequential (b) or parallel (c) program context, 
respectively. The pattern of very busy program points is different because of the 
effects of interference and synchronisation. While in (b) the term a + b is very- 
busy at nodes 1 , 7 , and 8 , in (c) it is very busy at nodes 1 and 10 . DFA of 
programs with explicit parallelism have attracted so far little attention, possibly 
because naive adaptations of the sequential techniques typically fail [21], and 
the costs of rigorous straightforward adaptations are prohibitive because of the 
number of interleavings expressing the possible executions of a parallel program. 
Though for an intraprocedural setting it could recently be shown that bitvector 
problems are an exception, which can be solved as easily and as efficiently as their 
sequential counterparts [17], a corresponding result for a setting with procedures 
has not yet been presented. 

Conventions. Without loss of generality we make the following assumptions on 
flow graphs, which allow us a simpler notation during the presentation of the 
automata-theoretic approach. Flow graphs have a unique start node and end 
node without incoming and outgoing edges, respectively. Each node of a flow 
graph lies on a path connecting its start node and end node. The main procedure 
of a program cannot be called by any procedure of the program. Procedures are 
not statically nested. Edges leaving (approaching) a node with more than one 
successor (predecessor) are labelled by the empty statement. And, Anally, the 
left-hand-side variable of an assignment does not occur in its right-hand-side 
term. 

a) 

Ui 

lO 

X := a+b 

20 
a := ... 

30 



U 2 U 3 

40 70 

sO 80 
60 90 



b) 



U ^ ; VAR a,b,x,y 



c) 



U ; VAR a,b,x,y 



y := a+b 




0 

lOO 



11 



6 



pcall U j O 2 , U - 



Fig. 3. The parallel iiiterprocedural setting. 
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3 A Structured Operational Semantics for Flow Graph 
Systems 

In this section we give flow graph systems a formal semantics very much in 
the style of the operational semantics of process algebras (see for instance [ 3 ]). 
Intuitively, we interpret a node of a flow graph as an agent that can execute some 
actions, namely the labels of the edges leaving it. The execution of an action 
transforms an agent into a new one. The actions that an agent can execute 
and the result of their execution are determined by transition rules. So, for 
instance, for a flow graph edge of the form n — n', interpreted as “the 
agent n can execute the action v:= 3 , and become the agent n'.” we introduce 

the rule N - —A N' (uppercase letters are used to avoid confusion). In order 

to model procedure calls we introduce a sequential composition operator on 
agents with the following intended meaning: The sequential composition of Ni 
and N-2, denoted by the concatenation Ni ■ N-^, is the agent that behaves like 
Ni until it terminates, and then behaves like It is now natural to assign 
c(xtt n 

to an edge n — -— >■ n' , where T is a vector (ti, . . . ,tt.) of terms, the rule 

j~r f 

N - b START i ■ N' (the name of the action is shortened for readability)^. 

Let us now formally define the semantics. We associate to a flow graph system 
a triple (Con, Act, A), called a process system^, where Con is a set of agent 
constants. Act is a set of actions, and A C Con^ x Act x Con* is a set 
of transition rules. An agent over Con is a sequential composition of agent 
constants, seen as an element of Con*. In particular, the empty sequence e is 
an agent. The set A induces a reachability relation Ac Con* x Con* for each 
a e Act, defined as the smallest relation satisfying the following inference rules: 

- if (Pi , a, P2) G zi, then A A F2; 

- if Fi A P[ then Fi ■ F2 A P[ ■ Py, for every P^ G Con*. 

The second rule captures the essence of sequential composition: Only the first 
constant of a sequence can perform an action. Since the left-hand side of a rule 
cannot be empty, the agent e cannot execute any action, and so it corresponds 
to the terminated agent. 

In the sequel we overload the A symbol and write P\ A P2 instead of 
(Pi,a,Pz) G A. 

We associate to a flow graph system the process system (Con, Act, A) where 
Con is the set of program nodes plus a special agent constant START, Act is the 
set of edge labels plus special actions r, start, end, and endj for each procedure 
iTj) and A contains the rules shown in Table 2 . Observe that the left-hand sides 
of the rules of A have length 1 , and that all terminating executions of the flow 
graph system begin with the action starto and end with endo- 

^ Recall that start i is the start node of the flow graph /7j. 

^ Process systems are very close the Basic Process Algebra of [2] or the context-free 
processes of [5]. We use another name due to small syntactic differences. 
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Flow graph 


Process rule 


n — > n' 


N ^ N' 


V t i 

n > n 


N 4 N' 


out(t) , 

n > n 


N N’ 


call npT) , 

n > n 


N START i ■ N' 


start node starto 


START STARTo 


end nodes endi 


endi 

ENDi b e 



Table 2. Rules of the process system. 



4 Interprocedural Bitvector Problems 

In this section we provide solutions to the basic four bitvector problems using 
a language-theoretic formalism. We show how to compute the set of program 
points satisfying the existentially quantified properties. For universally quanti- 
fied properties we first compute the set of points satisfying the negation of the 
property, which is existentially quantified, and then take the complement with 
respect to the set of all program points. 

We first consider the case in which all variables are global, and subsequently 
move to the general case with both local and global variables. 

4. 1 Global Variables 

We introduce some notations: 

- Def^ denotes the set of actions of the form v := t; 

- Ref^ denotes the set of actions of the form u:= t such that v appears in t; 

- Compf denotes the set of actions of the form v := t' such that t' contains t 
as subterm; 

- Modt denotes the set of actions of the form v := t' such that v appears in f.® 

Let us start by formalising the liveness problem. A global variable v is live 
at a program point n if there exists a sequence START Pi ^ P 2 satisfying 
the following constraints: 

1. Pi — N ■ P[ (so (7i corresponds to a program path ending at the program 
point n); 

2. (72 e {Act - Def^YRef^ (so in a-z the variable v is referenced before it is 
defined). 

The other problems (or their negations) can be formalised following the same 
pattern. In fact, in the case of very busyness and availability what we directly 
compute in our approach, as mentioned above, is the set of program points 
at which v is not very busy or t is not available, respectively. Table 3 lists 
the constraints on Pi,a 2 ,p 2 that must be satisfied in each case (there are no 
constraints on ai). 

® Notice that, due to the conventions at the end of Section 2, the sets Compf and 
Modt are disjoint. 
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Property 


Pi 


<72 


P 2 


V is live at n 


N ■ Pi 


LIy = (Act — Def „)* Ref y 


Con* 


rn A — % ffi' reaches n 


M ■ Pi 


REy = (v:= t)(Act — Defy)* 


N' Pi 


t is not very busy at n 


N ■ Pi 


NVBi: = (Act — Cornpf)* (Modi: + endo) 


Con* 


t is not available at n 


Con* 


NAf, = (starto + Modt)(Act — Compf)* 


N- Pi 



Table 3. Constraints on Pi, a-i, and P 2 . 



Solving the Problems. Given a process system (Con, Act, A), we make the 
following straightforward but crucial observation: A set of agents is just a lan- 
guage over the alphabet Con, and so it makes sense to speak of a regular set of 
agents. Automata can be used to finitely represent infinite regular sets of agents. 

This observation has been exploited by Finkel, Williams and Wolper in [10] 
and by Bouajjani, Maler and the first author in [4] to develop efficient algorithms 
for reachability problems in process systems. We present some of the results of 
[10,4], and apply them to the bitvector problems for flow graph systems. 

Let L e Con* and C C Act* be regular languages. We call C a constraint, 
and define 

post*[C%L) = {P £ Con* \ P' P for some P' £ L and some a £C} 

In words, post*[C%L) is the set of agents that can be reached from L by means 
of sequences satisfying the constraint C. Analogously, we define 

pre*[C7](L) = {P £ Con* \ P P' for some P' £ L and some a £C} 

So prcA [C] (L) is the set of agents from which it is possible to reach an agent in 
L by means of a sequence in C. We abbreviate post* [Act*] (T) and pre*[AcA*](L) 
to post*{L) and pre*(L), respectively. We have the following result: 

Theorem 1 ([10, 4]). Let (Con, Act, A) be a process system such that each rule 
Pi A P 2 satisfies |Fi| < 2, and let L C Con* and C C Act* he regular sets. 
Thenpre*[C\(L) and post* [C\(L) are regular sets of agents. Moreover, automata 
accepting these sets can be computed in 0(nA-n\^-nc) time, where ua is the size 
of A, and nL,nc are the sizes of two automata accepting L and C, respectively. 

Let us use this result to compute the set of program points at which the 
variable v is live. This is by definition the set of program points n for which there 
is a sequence START -A Pi -A P 2 satisfying Pi — N-P{ and a 2 G LR. Observe 
that pre*[LR](Con*) is the set of agents from which a sequence <72 G LR can 
be executed. Notice however that not all these agents are necessarily reachable 
from START. Since the set of agents reachable from START is post* (START) , 
we compute an automaton accepting 

pre*[LR](Con*) C post* (START) 



Now, in order to know if v is live at n it suffices to check if this automaton 
accepts some word starting by N. 
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Problem 


Set of agents 


liveness 


pre*[LI^:\{Con*) n post* (START) 


reachability 


post*[REi,](post* (START) n M ■ Con*) 


very busyness 


pre*[NVB,:](Con*) n post*(START) 


availability 


post* [Act*NAi] (START) 



Table 4. Agents corresponding to the four bitvector problems. 

Table 4 shows the sets of agents that have to be computed to solve all four 
bitvector problems. For the complexity, notice that the number of states of the 
automata for L and C depends only on the bitvector problem, and not on the 
process system. So the liveness and reaching definition problems for a given 
variable v and the very busyness and availability problems for a given term t 
can be solved in 0{n^) time. 



4.2 Local and Global Variables 

The reader has possibly noticed that we have not exploited all the power of 
Theorem 1 so far. While the theorem holds for rules with a left-hand side of 
length 1 or 2, we have only applied it to rules with left-hand sides of length 1. 
We use now full power in order to solve the bitvector problems in a setting with 
global and local variables. 

A local variable v is live at a program point n if and only if there exists a 
sequence START -% N ■ P N' ■ P for some agent P such that 

(1) d e Ref^, 

(2) all the agents reached along the execution of are of the form P' • P, and 

(3) for every transition Fi • F A F 2 • L* of <72, if a G Def^, then |Fi | > 2. 

Here, condition (2) guarantees that the incarnation of v referenced by d and the 
incarnation of iV • F are the same. Condition (3) guarantees that this incarnation 
is not modified along the execution of a-z- 

We now apply a general strategy of our automata approach, which will be 
used again in the next section: Instead of checking conditions (1) to (3) on 
the simple process system coresponding to the flow graph, we check a simpler 
condition on a more complicated process system. Intuitively, this new system 
behaves like the old one, but at any procedure call in a computation (or at 
the beginning of the program) it can nondeterministically decide to push a new 
variable M onto the stack — used to Mark the procedure call — and enter a new 
mode of operation, called the local mode. In local mode the process distinguishes 
between actions occurring at the current procedure call (the marked call in the 
sequel), and actions occurring outside it, i.e., actions occurring after encountering 
further procedure calls before finishing the marked call, or actions occurring after 
finishing the marked call. 

We extend the process system with new agents, actions, and rules. The addi- 
tional new agents are M (the Marker) and O (used to signal that we are Outside 
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the marked call) . There is also a new action a„. for each old action a, plus extra 
actions mark, return, exit.'^ In the new process system Um- (^an only occur at the 
marked call, and a only at other levels. For each old rule we add one or more 
new ones as shown in Table 5. Notice that once the marker is introduced, all 



Old rule 


New additional rule(s) 





M ■ N M ■ N' (am in the marked call) 

0 ■ N -tA 0 ■ N' (a outside the marked call) 




START M ■ START 0 


N STARTi ■ N' 


N 'L-b M ■ STARTi ■ N' (marking the current call) 

]\p . ]Y 0 ■ STARTi ■ M ■ N' (entering a deeper level) 

0 . N 0 ■ STARTi ■ N' 




M . ]Y 0 (end of the marked call) 

O-N AAdf 0 




0 ■ M — — )■ M (return to the marked call) 



Table 5. Rules of the extended process system. 



reachable agents have either M or O in front, and that once the marked call 
terminates no agent ever has M in front again. 

Given a local variable v, we define Rel-Def^ = {am | a e Defi,) and 
Rd-Ref^ = {arn | o € R^fvji where Rel stands for “relevant.” If an agent moves 
into local mode at a procedure call in which a local variable v is incarnated, then 
Rd-Def^ and Rel -Ref ^ are the actions concerning this same incarnation of v. 

If we let Ext-Aet be the extended set of actions of the new process system, 
then a local variable v is live at a program point n if and only if there exists a 
sequence START Pi P2 satisfying the following constraints: 

- Pi — M • N ■ P[ , and 

- (72 G (Ext-Aet - Rel-Def^)*Rel-Ref^. 

So the constraint on (T2 when the program has both local and global variables is 
obtained from the constraint for global variables by substituting Ext-Aet for Aet, 
Rel-Def^ for Def^, and Rel -Ref ^ for Ref^. The reaching definitions problem can 
be solved analogously. 

For the very busyness and the availability problems we have to take into 
account that the term t may contain local and global variables. Let LoeId(t) and 
GlobId(t) be the set of local and global variables that appear in t. We define 

Rel-Modf. — [J Def^ U (J ReLDef^ 

v^Glohld(t) v^LocId(t) 

Rel-Compf — {am | a £ Comp^} 

A term is not very busy at a program point n if and only if there exists a sequence 
START Pi P‘2 satisfying the following constraints: 

These actions are not strictly necessary, they are only included for clarity. 



4 
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- Pi = M ■ N ■ P[ , and 

^ (72 G {Ext -Act - Rel-Compi)*{Rel-Modt + endg). 

Since the number of transition rules of the new process system increases only 
by a constant factor, the algorithm still runs in 0(riA) time. 



5 Interprocedural Faint Variables 

Recall that a variable v is faint at a program point n if on every program path 
from n every right-hand side occurrence of v is either preceded by a modification 
of V or is in an assignment whose left-hand side variable is faint as well. We 
show how to compute the set of program points at which a variable is faint in an 
interprocedural setting with global and local variables. This requires to split the 
set of references of a variable into the subset of references occurring in an output 
statement, and its complement set. To this end we introduce the notation: 

- Ref Out ^ denotes the set of actions of the form mj,t{f), such that v appears 
in t. 

Faintness is a universal property, i.e., one that holds only if all program paths 
from a point n satisfy some condition. We formalise its negation, which is an 
existential property. A variable v is not faint at a program point n if there exists 
a sequence START -% P± P 2 satisfying the following constraints: 

- Pi — N ■ P[ (so ( 7 i corresponds to a program path ending at the program 
point n), and 

- V is not faint at Pi Pz- 

It remains to define the set of paths at which v is not faint. In comparison to 
the related bitvector property of deadness, the only new difficulty is to deal 
adequately with the recursive nature of the definition of faintness. The set is 
recursively defined as the smallest set of finite paths Pi Pz -% P$ - ■ ■ P„, 
where P± — N ■ P{, such that 

(1) Oi G Ref Out or 

(2) V is global, oi ^ Def^ and v is not faint at Pz F 3 • • • F„, or 

(3) V is local for N, oi is an assignment not in Fe/^, and v is not faint at 
Pz^Pi--- Pn, or 

(4) oi = u := t, where v appears in t, and u is not faint at Pz P^ - ■ ■ P„- 

Notice the difference between (2) and (3). If v is local and oi is a call action, 
then after the execution of Oi the new program point is out of the scope of v, 
and so v is faint at Pi Pz ^ F 3 • • • P„A If v is global, then we remain within 
the scope of v, and so we do not know yet whether v is faint or not. 

® With our definition v may be faint sA N ■ P{ Pz Pi ■ ■ ■ Pi but not faint at 
some other path N • Ff P^ Pi" ■ P {/ and so not faint at N. 
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As we did in the last section, we do not check the complicated property “u 
is faint at n” on a simple process system, but a simpler property on a more 
complicated process system obtained by adding new agents and rules (although 
this time no actions) to the old one. Intuitively, the new process system behaves 
like the old one, but at any point in a computation it can nondeterministically 
decide to push a program variable v into the stack — represented by an agent 
constant V — and enter a faint mode of operation. From this moment on, the 
system updates this variable according to the definition of non-faintness. The 
(updated) variable stays in the stack as long as the path executed by the system 
can be possibly extended to a path at which the variable is not faint. So the 
variable is removed from the stack only when the process system knows that (a) 
V is not faint for the path executed so far, or (b) v is faint at all paths extending 
the path executed so far. In case (a) the process system pushes a new agent _L 
into the stack, and in case (b) it pushes an agent T. 

Formally, the extended process system is obtained by adding the two agents 
T and _L, and new rules as shown in Table 6. 



Old rule 


New additional rule(s) 


N A N' 


N A V ■ N' for each variable v 

(the faint mode can be entered anytime) 

V ■ N A Pit a(E RefOut^, 

(condition (1), ± signals that v is not faint) 

V ■ N A V ■ N' if V global and a ^ Def^, 
(condition (2)) 

V . ]\[ A U ■ N' if a = w := t and v appears in t 
(condition (4)) 


N STARTi ■ N' 


Y . N Y ■ STARTi ■ N' if v global 

(condition (2)) 

V ■ N STARTi - V-N' if v local at n 

(out of the scope of v) 


, end: 

N b e 


Y . N Alflb Y if V global 
(condition (2)) 

^ ^ ^ ^ end: . p - - 

p . } 1 it V local at n 

(condition (3), this incarnation of v can no longer be defined 
or referenced) 



Table 6. Rules of the extended process system. 



In order to obtain the set of program points at which the variable v is faint, we 
compute the set of agents N for which there is a sequence START Pi P 2 
satisfying Pi —V • N ■ P[ and P 2 — ± ■ P^- It suffices to compute an automaton 
for 



(pre*{± ■ Con*) (1 V ■ Con*) n post* (START) 
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6 Interprocedural Bitvector Problems with Parallelism 



In flow graph systems with parallelism, which we call in the sequel parallel flow 



pcall 



> n'. The 



graph systems, we allow edge-labels of the form n 
procedures iTj^ , . . . , iTj^, are called in parallel; if and when they all terminate, 
execution is continued at n' . Notice that parallel calls can be nested, and so 
the number of procedures running in parallel is unbounded. Notice also that 
flow graphs without parallelism are the special case in which fe = 1 for all pe/ill 
instructions. 

We show that the four bitvector problems can be solved for parallel flow 
graph systems in polynomial time when all variables are global. For this it will 
suffice to apply a beautiful extension of Theorem 1 recently proved by Lugiez 
and Schnoebelen in [18]. 

In order to model parallel flow graph systems by process systems we need to 
extend these to parallel process systems (also called process rewrite systems in 
[20]). An agent of a parallel process system is a tree whose root and internal nodes 
are labelled with either • or ||, representing sequential and parallel composition, 
and whose leaves are labelled with agent variables. So, for instance, the intended 
meaning of the tree (A"||F) • Z is that X and Y are first executed in parallel, and 
if and when they terminate Z is executed. The empty tree 7 , which satisfies 



. P — P . 'y — = P 



plays now the role of the terminated process. We denote the set of agents by 
T(Con) (trees over Con). Rules are now elements of (T(Con) \ { 7 }) x Act x 
T(Con). A set A of rules induces a reachability relation Ac T(Con) x T(Con) 
for each a e Act, defined as the smallest relation satisfying the following inference 
rules: 

— if {Pi,a,P‘ 2 ) G A, then Pi A T 2 ; 

— if Fi A P{ then Fi • F2 A P{ ■ P^ for every F2 G T{Con); 

— if Fi A P[ then Fi ||F2 A F(||F2 and F2IIF1 A F2||F( for every F2 G T(Con). 

We make free use of the fact that parallel composition is associative and commu- 
tative with respect to any reasonable behavioural equivalence between agents, 
such as bisimulation equivalence [ 22 ]. 

We associate to a parallel flow graph system the process system ( Con, Act, A) 
as in the sequential case, the only difference being the rule corresponding to 
parallel calls, which is shown in Table 7. Observe that the left-hand side of all 



Parallel flow graph 


Process rule 


pcaii ,7T;j_(Tfc) 


M .n~i(ri),... ,JTfe(Tfe) / nrpi nrp, || \\QTA TIT ' 1 . N' 







Table 7. Rules of the parallel process system 



rules consists of just one variable. Parallel process systems with this property 
are closely related to the PA-algebra studied in [18]. 
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The four bitvector problems are defined almost as in the non-parallel case. 
The only difference is that in the parallel setting a program path can begin or 
end at many nodes due to the existence of parallel computation threads. In the 
non-parallel case, the agents corresponding to “being at node n” are those of 
the form iV • F. In the parallel case, they are the agents (trees) satisfying the 
following property: there is a leaf N which does not belong to the right subtree 
of any node labelled by •. We call the set of these agents Atja. 



Solving the Problems. An agent is no longer a word, but a tree — and so a set 
of agents is now a tree language. Tree automata can be used to finitely represent 
infinite regular sets of agents. We briefly introduce the tree automata we need. 
They are tuples (Q, A, 5, F) where: 

- Q is a finite set of states and F C Q is a set of final states. 

- .4 is a finite alphabet containing the set Con and two binary infix operators 
■ and ||. The automaton accepts terms over this alphabet, which we just call 
trees. 

- his a finite set of transition rules of the form N ^ q, qi-q^ ^ q, or gi ||g 2 ^ Q- 
The rules define a rewrite relation on terms over A U Q. 

The automaton accepts the trees that can be rewritten into a final state using 
the transition rules. As an example, we present a tree automaton accepting the 
set At-n. It has two states {gi,®}, with qi as final state, rules N ^ qi and 
N' ^ g -2 for every program point n' ^ n, and rules 

J (?i if i = 1 II J (?i if i = 1 or j = 1 

(^2 otherwise (^2 otherwise 

for e {1,2}. 

The question arises whether Theorem 1 can be extended to the tree case, 
i.e., the case in which Con* is replaced by T(Con). The answer is unfortunately 
negative. For instance, it is not difficult to see that the problem of deciding 
whether post*[C](L) is nonempty is undecidable even for the special case in 
which each rule P± P 2 satisfies P± G Con and L contains only one agent [18]. 
However, Lugiez and Schnoebelen show in [18] that it is possible to save part of 
the theorem. In particular, they prove the following result: 

Theorem 2 ([18]). Let {Con, Act, A) be a parallel proeess system sueh that 
eaeh rule P\ A P 2 satisfies Pi G Con, let L G T{Con) he a regular set of agents, 
and let A C Aed. Then pre*[A](L), post*[A]{L), pre*[A*](L), and post* [A*](L) 
are regular sets of agents, and tree automata aecepting them ean be effeetively 
eomputed in polynomial time. 

In order to check if the variable v is live at a program point n, we have to 
decide if there is a sequence START P± P 2 satisfying Pi G At„, and 
(72 G LR. Fortunately, LR is the concatenation of two languages of the form 
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A and A* for which Theorem 2 holds, namely (Act - Def^)* and Ref^. So it 
suffices to compute a tree automaton accepting 

pre*[(Act - Def^)*]{pre*[Ref^](T(Con))) (1 post* (START) H Atn 

and check if it is empty. The other three bitvector problems are solved anal- 
ogously. If we now wish to extend this result to the case with both local and 
global variables, we can proceed as in Section 4.2. However, the process system 
so obtained contains rules whose left-hand side is a sequential composition of 
two agents. Since Theorem 2 has only been proved for the case Pi £ Con, we 
cannot directly apply it. The question whether the bitvector problems can also 
be efficiently computed for local and global variables is still open. 

7 Conclusions 

We have shown that recent progress in extending the automata-theoretic ap- 
proach to classes of processes with an infinite state space finds interesting ap- 
plications in interprocedural data-flow analysis. Even though research in this 
area is at its very beginning, it is already possible to envisage some advantages 
of automata techniques. First of all, data-flow problems are expressed in terms 
of the possible executions of a program, and so it is very natural to formalise 
them in language terms; from the point of view of temporal logic, data-flow 
problems correspond to linear-time properties, and so the automata-theoretic 
approach, which is particularly suitable for linear-time logics, seems to be very- 
adequate. Secondly, the approach profits from the very well studied area of au- 
tomata theory. For instance, Lugiez and Schnoebelen obtained their results [18] 
by generalising constructions of [4, 10] for word automata to tree automata, and 
we could immediately apply them to bitvector problems in the interprocedural 
parallel case. 
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The purpose of these notes is to discuss some examples of the importance 
of types for reasoning about concurrent systems, and to list some relevant ref- 
erences. The list is surely not meant to be exhaustive, as the area is broad and 
very active. The examples are presented in the w-calculus |29|, a paradigmatical 
process calculus for message-passing concurrency. We will not describe the proof 
techniques based on types with which the equalities in the examples are actually 
proved; for this, the interested reader can follow the references. 
Acknowledgements. I would like to thank Benjamin Pierce, for our collaborations 
and the numerous discussions on the topic of these notes. 

The TT-calculus. As the A-calculus, so the 7r-calculus language consists of a 
small set of primitive constructs. In the A-calculus, they are constructs for build- 
ing functions. In the TT-calculus, they are constructs for building processes, no- 
tably: composition F | Q to run two processes in parallel; restriction t>x P to 
localise the scope of name x to process P (name is a synonymous for channels) ; 
input x{y).P to receive a name z at x and then to continue as P{^/y}; output 
x{y).P to emit name y at x and then to continue as F; replication !F to express 
processes with an infinite behaviour (!F stands for a countable infinite number 
of copies of F in parallel); the inactive process 0 . In the pure (i.e., untyped) 
calculus, all values transmitted are names. 

We will find it convenient to present some of the examples on the polyadie 
■K-calculus, an extension of the pure calculus in which tuples of names may be 
transmitted. A polyadie input process x{yi, . . . ,y„).P waits for an u,-uple of 
names , . . . , at x and then continues as F{^i’ • • • > • • • , j/n} (that is, F 

with the yi’s replaced by the Zi’s); a polyadie ouput process x{yi , ,yn). P emits 
names y\, . . . yjn at x and then continues as F. We will abbreviate processes of 
the form x{yi , . . . , yn). 0 as x{yi ,... , y„}. 

The most important predecessor of the TT-calculus is CCS. The main novelty 
of the TT-calculus over CCS is that names themselves may be communicated. This 
gives TT-calculus a much greater expressiveness. We can encode, for instance: data 
values, the A-calculus, higher-order process calculi (i.e., calculi where terms of the 
language can be exchanged) |27, 28, 42|, which indicates that the TT-calculus can 
be a model of languages incorporating functional and concurrent features, and 
that it may be a foundation for the design of new programming languages; the 
spatial dependencies among processes |39|, which indicates that the TT-calculus 
can be a model of languages for distributed computing; (some) object-oriented 
languages [21, 52, 22, 20]. 

Types. A type system is, roughly, a mechanism for classifying the expressions 
of a program. Type systems are useful for several reasons: to perform optimisa- 

W. Thomas (Ed.): FOSSACS’99, LNCS 1578, pp. 31-40, 1999. 
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tions in compilers; to detect simple kinds of programming errors at compilation 
time; to aid the structure and design of systems; to extract behavioral informa- 
tion that can be used for reasoning about programs. In sequential programming 
languages, type systems are widely used and generally well-understood. In con- 
current programming languages, by contrast, the tradition of type systems is 
much less established. 

In the TT-calculus world, types have quickly emerged as an important part of 
its theory and of its applications, and as one of the most important differences 
with respect to CCS-like languages. The types that have been proposed for the 
TT-calculus are often inspired by well-known type systems of sequential languages, 
especially A-calculi. Also type systems specific to processes have been (and are 
being) investigated, for instance for preventing certain forms of interferences 
among processes or certain forms of deadlocks. 

One of the main reasons for which types are important for reasoning on TT- 
calculus processes is the following. Although well-developed, the theory of the 
pure TT-calculus is often insufficient to prove “expected” properties of processes. 
This because a TT-calculus programmer normally uses names according to some 
precise logical discipline (the same happens for the A-calculus, which is hardly- 
ever used untyped since each variable has usually an ‘intended’ functionality). 
This discipline on names does not appear anywhere in the terms of the pure 
calculus, and therefore cannot be taken into account in proofs. Types can bring 
this structure back into light. Below we illustrate this point with two examples 
that have to do with encapsulation. 

Encapsulation. Desirable features in both sequential and concurrent languages 
are facilities for encapsulation, that is for constraining the access to components 
such as data and resources. The need of encapsulation has led to the deveolpment 
of abstract data types and is a key feature of objects in object-oriented languages. 

In CCS, encapsulation is given by the restriction operator. Restricting a 
channel ® on a process P, written (using TT-calculus notation) ux P, guarantees 
that interactions along x between subcomponents of P occur without interference 
from outside. For instance, suppose we have two 1-place buffers, Buf 1 and Buf2, 
the first of which receives values along a channel x and resends them along y, 
whereas the second receives at y and resends at 2 . They can be composed into 
a 2-place buffer which receives at x and resends at ^ thus: vy (Buf 1 | Buf 2). 
Here, the restriction ensures us that actions at y from Bufl and Buf 2 are not 
stolen by processes in the external environment. With the formal definitions of 
Bufl and Buf 2 at hand, one can indeed prove that the system uy (Bnfl | Buf 2) 
is behaviourally equivalent to a 2-place buffer. 

The restriction operator provides quite a satisfactory level of protection in 
CCS, where the visibility of channels in processes is fixed. By contrast, restriction 
alone is often not satisfactory in the TT-calculus, where the visibility of channels 
may change dynamically. Here are two examples. 

Example 1 (A printer with mobile ownership [34])- Consider the situation in 
which several client processes cooperate in the use of a shared resource such as 
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a printer. Data are sent for printing by the client processes along a channel p. 
Clients may also communicate channel p so that new clients can get access to 
the printer. Suppose that initially there are two clients 

Cl = p{:h) -Pipi) ■ ■ ■ 

C2 = b{p) 

and therefore, writing P for the printer process, the initial system is 

up (F I Cl I C2). 

One might wish to prove that Cl’s print jobs represented by ji and j-z are even- 
tually received and processed in that order by the printer, possibly under some 
fairness condition on the printer scheduling policy. Unfortunately this is false: a 
misbehaving new client C3 which has obtained p from C2 can disrupt the pro- 
tocol expected by P and Cl just by reading print requests from p> and throwing 
them away: 

C3 = p{j).p{j').0. 

a 

Example 2 (A boolean package implementation [35]). For an even more dramatic 
example, consider a TT-calculus representation of a simple boolean package: 

BoolPackl = {ut, /, if ) ^ 

getBool(f , /, if) 

I lt{x,y).x{) 

I '■f(py)-yQ 

I \if{b,x,y).b{x,y)'j 

The package provides implementation of the true and false values and of an 
if -true function. In the 7r-calculus, a boolean value is implemented as a process 
located at a certain name; above the name is t for the value true and / for the 
value false. This process receives two return channels, above called x and y, 
and produces an answer at the first or at the second depending on whether 
the value true or false is implemented. The if -true function is located at 
if, where it receives three arguments: the location b of a boolean value and 
two return channels x and y; the function interacts with the boolean located 
at b and, depending on whether this is true or false, an answer at » or j/ is 
produced. Both the boolean values and the if -true function are replicated so 
that they may be used more than once. Other functionalities, like and, or and 
not functions, can be added to the package in a similar way. 

A client can use the package by reading at getBool the channels t, f and if. 
After this, what remains of the package is 

lt(x, y). x{) 

I \f{x,y).y{)_ 

I lif{b,x,y).b{x,y} 
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But now the implementation of the package is completely uncovered! A misbe- 
having client has free access to the internal representation of the components. It 
may interfere with these components, by attempting to read from t, f or if. It 
may also send at if a tuple of names the first of which is not the location of a 
boolean value. If multiple processes get to know the access channels t, f and if 
(which may happen because these channel may be communicated), then a client 
has no guarantee about the correctness of the answers obtained from querying 
the package. □ 



Using types to obtain encapsulation. In the two examples, the protection 
of a resource fails if the access to the resource is transmitted, because no as- 
sumptions on the use of that access by a recipient can be made. Simple and 
powerful encapsulation barriers against the mobility of names can be created 
using type concepts familiar from the literature of typed A-calculi. We discuss 
the two examples above. 

The misbehaving printer client C3 of Example 1 can be prevented by sepa- 
rating between the input and the output capabilities of a channel. It suffices to 
assign the input capability on channel p to the printer and the output capability 
to the initial clients Cl and C2. In this way, new clients which receive p from 
existing clients will only receive the output capability on p. The misbehaving C3 
is thus ruled out as ill-typed, as it uses p> in input. This idea of “directionality in 
channels” was introduced in |34| and formalised by means of type constructs, the 
i/o types. They give rise to a natural subtyping relation, similar to those used for 
reference types in imperative languages like Forsythe (cf: Reynolds |38|). In the 
case of the 7r-calculus encodings of the A-calculus |27|, this subtyping validates 
the standard subtyping rules for function types |42|. This subtyping is also im- 
portant when modeling object-oriented languages, whose type systems usually 
incorporate some powerful form of subtyping. 

A common concept in typed A-calculi is polymorphism. It is rather straight- 
forward to add it onto a 7r-calculus type system by allowing channels to carry 
a tuple of both types and values. Forms of polymorphic type systems for the 
TT-calculus are presented in |12, 50, 48, 47, 35, 11|. Polymorphic types can be used 
in Example 2 of the boolean package BoolPackl to hide the implementation 
details of the package components, in a way similar to Mitchell and Plotkin’s 
representation of abstract data types in the A-calculus |30|. We can make channel 
getBool polymorphic by abstracting away the type of the boolean channels t 
and /. This forces a well-typed observer to use t and / only as arguments of the 
if -true function. Indeed, using polymorphism this way the package BoolPackl 
is undistinguishable from the package 

BoolPack2 = (ut, /, if ) ^ 

getBool(f , /, if) 

I 

I 

I \if{b,x,y).b{y,x)'\ 
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The latter has a different internal representations of the boolean values (a value 
true responds on the second of the two return channels, rather than on the first, 
and similarly for the value false) and of the if-true function. By “undistin- 
guishable”, we mean that no well-typed observer can tell the difference between 
the two packages by interacting with them. 

The packages BoolPackl and BoolPack2 are not behavioural equivalent in 
the standard theories of behavioural equivalences for process calculi. Trace equiv- 
alence is considered the coarsest behavioural equivalence; the packages are not 
trace equivalent because they have several different traces of actions, e.g., 

getBools{t, /, if )if (f , x, y). t{x, y) 

is a trace of BoolPackl but not of BoolPack2. 

Similarly, suppose we have, as in some versions of the TT-calculus, a mismatch 
construct [x^y]P that behaves as P if names x and y are different, as 0 if 
they are equal. With polymorphism we can make BoolPackl equivalent to the 
package BoolPackS obtained from BoolPackl by replacing the line implementing 
the conditional test with: 

if {b, x,y). {b{x,y) | [b^t][b^ f]BkD). 

where BAD can be any process. The new package is equivalent to BoolPackl 
because the value received at if for b is always either t or /. This example shows 
that a client of the boolean package is not authorized to make up new values of 
the same type as the boolean channels t and /, since the client knows nothing 
about this type. Again, the equivalence betweeb BoolPackl and BoolPackS is 
not valid in the standard theories of behavioural equivalences for process calculi. 

Types for reasoning. Types are important for reasoning on TT-calculus pro- 
cesses. First, types reduce the number of legal contexts in which a given process 
may be tested. The consequence is that more behavioural equalities between pro- 
cesses are true than in the untyped calculus. Examples of this have been given 
above. The equalities considered in these examples fail in the untyped TT-calculus, 
even with respect to the very coarse notion of trace equivalence. That is, there 
are contexts of the untyped TT-calculus that are able to detect the difference be- 
tween the processes of the equalities. By imposing type systems, these contexts 
are ruled out as ill-typed. On the remaining legal contexts the processes being 
compared are undistinguishable. Useful algebraic laws, such as laws for copy- 
ing or distributing resources whose effect is to localise computation or laws for 
enhancing the parallelism in a process, can thus become valid. 

Secondly, types facilitate the reasoning, by allowing the use of some proof 
techniques or simplifying their application. For instance type system for linearity, 
confluence, and receptiveness (see below) guarantee that certain communications 
are not preemptive. This is a partial confluence property, in the presence of which 
only parts of process behaviours need to be explored. Types can also allow more 
efficient implementations of communications between channels, or optimisations 
in compilers such as tail-call optimisation. 
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Another situation where types are useful is in limiting the explosion of the 
number of the derivatives of a process. To see why this can be a problem, consider 
a process a(x). P. In the untyped TT-calculus, its behaviour is determined by the 
set of all derivatives P{^/x}, where b ranges over the free names of F plus a fresh 
one. In case of a cascade of inputs, this gives rise to state explosion, which at 
present is a serious obstacle to the development of tools for mechanical analysis 
of processes. The number of legal derivatives of processes can be reduced using 
types. For instance, in the example of the boolean package BoolPackl, having 
polymorphic types we know that the only possible names that can be received 
for the parameter b of the if -true function are t and /. 



Types in TT-calculi: some references. In the A-calculus, where functions are 
the unit of interaction, the key type construct is arrow type. In the TT-calculus 
names are the unit of interaction and therefore the key type construct is the 
channel (or name) type | T. A type assignment a : t'T means that a can be used 
as a channel to carry values of type T. As names can carry names, T itself can be 
a channel type. If we add a set of basic types, such as integer or boolean types, we 
obtain the analogous of simply-typed A-calculus, which we may therefore call the 
simply-typed w-calculus. Type constructs familiar from sequential languages, such 
as those for products, unions, records, variants, recursive types, polymorphism, 
subtyping, linearity, can be adapted to the 7r-calculus |12, 50, 51, 18, 48, 47, 24, 
19,32, 11,35, 3|. 

If we have recursive types, then we may avoid basic types as initial elements 
for defining types. The calculus with channel, product and recursive types is the 
polyadic w-calculus, mentioned at the beginning of these notes. Its type system 
is, essentially, Milner’s sorting systems |27|, historically the first form of type 
system for the TT-calculus (in the sorting system type equality is syntactic, i.e., 
‘by-name’; more flexible notions of type equality are adopted in later systems). 

The following type systems are development of those above but go beyond 
traditional type systems for sequential languages. Sewell |43| and Hennessy and 
Riely |17, 16| extend the i/o type system with richer sets of capabilities for dis- 
tributed versions of the TT-calculus (also |9| extends i/o types, on a Linda-based 
distributed language). Steffen and Nestmann |45| use types to obtain confluent 
processes. Receptive types |40| guarantee that the input end of a name is “func- 
tional”, in the sense that it is always available (hence messages sent along that 
names can be immediately processed) and with the same continuation. Yoshida 
[53], Boudol [7] and Kobayashi and Sumii [23,46], Ravara and Vasconcelos [37] 
put forward type systems that prevent certain forms of deadlocks. Abadi [1] uses 
types for guaranteeing secrecy properties in security protocols. The typing rules 
guarantee that a protocol that typechecks does not leak its secret information. 
Typing rules and protocols are presented on the spi-calculus, an extension of 
the TT-calculus with shared-key cryptographic primitives. Honda [19] proposes 
a general framework for the the above-mentioned types, as well as other type 
systems. 
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Experimental typed programming languages, or proposals for typed program- 
ming languages, inspired by the 7r-calculus include Piet [36], Join [10], Blue [6], 
and Tyco [49]. 

Reasoning techniques for typed behavioural equivalences are presented in [34, 
5, 3, 26, 17] for i/o or related types, in [35] for polymorphic types, in [24] for linear 
types, in [40] for receptive types. One of the most important application areas for 
the TT-calculus is object-oriented languages. The reason is that naming is a central 
notion both for these languages and for the TT-calculus. Proof techniques based 
on types have been used to prove the validity of algebraic laws and programm 
transformations on object-oriented languages [22,41,8,20]. 



Other type sytems for concurrent calculi. Type systems can be used to 
guarantee safety properties, such as the absence of run-time errors. Examples 1 
and 2 above show more refined properties, in which types prevent undesirable 
interactions among processes (even if these interactions would not produce run- 
time errors) thus guaranteeing that certain security constraints are not violated. 
In the printer Example 1, i/o types prevent malicious adversary from stealing 
jobs sent to the printer. In the boolean package Example 2, polymorphism pre- 
vents free access to the implementation details of the package. 

Here are other works that apply types to security, on calculi or languages 
that are not based on the TT-calculus. Smith and Volpano [44] use type systems 
to control information flow and to guarantee that private information is not 
improperly disclosed. Program variables are separated into high security and 
low security variables; the type system prevents information from flowing from 
high variables to low variables, so that the final values of the low variables are 
independent of the initial values of the high variables. On the use of type systems 
for controlling the flow of secure information, see also Heintze and Riecke [15]. 
Leroy and Rouaix [25] show how types can guarantee certain security properties 
on applets. Necula and Lee’s proof-carrying code [31] is an elegant technique for 
ensuring safety of mobile code; mobile code is equipped with a proof attesting the 
conformity of the code to some safety policy. Defining and checking the validity 
of proofs exploits the type theory of the Edinburgh Logical Framework. 

Applications of type theories to process reasoning include the use of theorem 
provers to verify the correctness of process protocols and process transformations 
[4,33,14]. 

We conclude mentioning a denotational approach to types for reasoning on 
processes. Abramsky, Gay and Nagarajan [2] have proposed Interaction Cate- 
gories as a semantic foundation for typed concurrent languages, based on cate- 
gory theory and linear logic. In Interaction Categories, objects are types, mor- 
phisms are processes respecting those types, and composition is process interac- 
tion. Interaction Categories have been used to give the semantics to data-flow 
languages such as Lustre and Signal, and to define classes of processes that 
are deadlock-free in a compositional way. [13] presents a typed process calculus 
whose design follows the structure of Interaction Categories. It is not clear at 
present how Interaction Categories can handle process mobility and distribution. 
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Abstract. This study offers a characterization of the collection of prop- 
erties expressible in Hennessy-Milner Logic (HML) with recursion that 
can be tested using finite LTSs. In addition to actions used to probe the 
behaviour of the tested system, the LTSs that we use as tests will be 
able to perform a distinguished action nok to signal their dissatisfaction 
during the interaction with the tested process. A process s passes the 
test T iff T does not perform the action nok when it interacts with s. 
A test T tests for a property cf> in HML with recursion iff it is passed 
by exactly the states that satisfy 4>. The paper gives an expressive com- 
pleteness result offering a characterization of the collection of properties 
in HML with recursion that are testable in the above sense. 



1 Introduction 

Observational semantics for concurrent processes are based upon the general 
idea that two processes should be equated, unless they behave differently, in 
some precise sense, when they are made to interact with some distinguishing 
environment. Such an idea is, in arguably its purest form, the foundation of 
the theory of the testing equivalences of De Nicola and Hennessy |4, 6|. In 
the theory of testing equivalence, two processes, described abstractly as labelled 
transition systems (LTSs) |8|, are deemed to be equivalent iff they pass exactly 
the same tests. A test is itself an LTS — i.e., a process — which may perform 
a distinguished action to signal that it is (un)happy with the outcome of its 
interaction with the tested process. Intuitively, the purpose of submitting a 
process to a test is to discover whether it enjoys some distinguished property 
or not. Testing equivalence then stipulates that two processes that enjoy the 
same properties for which tests can be devised are to be considered equivalent. 
The main aim of this study is to present a characterization of the collection of 
properties of concurrent processes that can be tested using LTSs. Of course, 
in order to be able to even attempt such a characterization (let alone provide 
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it), we need to precisely define a formalism for the description of properties of 
LTSs, single out a collection of LTSs as tests, and describe the testing process 
and when an LTS passes or fails a test. 

As our specification formalism for properties of processes, we use Hennessy- 
Milner Logic (HML) with recursion [10|. This is a very expressive property 
language which results from the addition of least and greatest fixed points to 
the logic considered by Hennessy and Milner in their seminal study [7|. The 
resulting property language is indeed just a reformulation of the modal /i-calculus 
|10|. Following the idea of using test automata to check whether processes enjoy 
properties described by formulae in such a language [2, 1], we use finite LTSs as 
property testers. In addition to actions used to probe the behaviour of the tested 
system, the LTSs that we use as tests will be able to perform a distinguished 
action nok (read ‘not okay’) to signal their dissatisfaction during the interaction 
with the tested process. As in the approach underlying the testing equivalences, 
a test interacts with a process by communicating with it, and, in keeping with 
the aforementioned references, the interaction between processes and tests will 
be described using the (derived) operation of restricted parallel composition from 
CCS |13|. 

We say that a process s fails the test T iff T can perform the action nok when 
it interacts with s. Otherwise s passes T. A test T tests for a property 4> in HML 
with recursion iff it is passed by exactly the states that satisfy d’. The main result 
of the paper is an expressive completeness result offering a characterization of 
the collection of properties in HML with recursion that are testable in the above 
sense. We refer to this language as SHML (for ‘safety HML’). More precisely we 
show that: 

- every property d* of SHML is testable, in the sense that there exists a test 

such that s satisfies 4> if and only if s passes Tif,, for every process s; and 

- every test T is expressible in SHML, in the sense that there exists a formula 
</>T of SHML such that, for every process s, the agent s passes T if and only 
if 8 satisfies (f>T- 

This expressive completeness result will be obtained as a corollary of a stronger 
result pertaining to the compositionality of the property language SHML. A 
property language is compositional if checking whether a composite system s\\T 
satisfies a property (f> can be reduced to deciding whether the component s has a 
corresponding property <f>/T. As the property (f>/T is required to be expressible 
in the property language under consideration, compositionality clearly puts a 
demand on its expressive power. Let £nok be the property language that only 
contains the simple safety property [nok]ff , expressing that the nok action cannot 
be performed. We prove that SHML is the least expressive, compositional exten- 
sion of the language £nok (Thm. 3.19). This yields the desired expressive com- 
pleteness result because any compositional property language that can express 
the property [nok]ff is expressive complete with respect to tests (Propn. 3.13). 
Any increase in expressiveness for the language SHML can only be obtained at 
the loss of testability. 
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The paper is organized as follows. After reviewing the model of labelled 
transition systems and HML with recursion (Sect. 2), we introduce tests and 
describe how they can be used to test for properties of processes (Sect. 3). We 
then proceed to argue that not every formula in HML with recursion is testable 
(Propn. 3.4), but that its sub-language SHML is (Sect. 3.1). Our main results 
on the compositionality and completeness of SHML are presented in Sect. 3.2. 

2 Preliminaries 

We begin by briefly reviewing the basic notions from process theory that will 
be needed in this study. The interested reader is referred to, e.g., [7, 10, 13] for 
more details. 

Labelled Transition Systems Let Act be a set of actions, and let a, b range 
over it. We assume that Act comes equipped with a mapping ” : Act ^ Act 
such that a — a, for every o G Act. Action a is said to be the complement of 
a. We let Act,, (ranged over by p) stand for Act U {r}, where r is a symbol not 
occurring in Act. Following Milner |13|, the symbol r will stand for an internal 
action of a system; such actions will typically arise from the synchronization of 
complementary actions (cf. the rules for the operation of parallel composition in 
Defn. 2.2). 

Definition 2.1. A labelled transition system (LTS) over the set of actions Actr 
is a triple T = {S, Acft , — >■) where 5 is a set of states, and — >• C <S x Actr x S 
is a transition relation. An LTS is finite iff its set of states and its transition 
relation are both finite. It is rooted if a distinguished state rool{T) G 5 is singled 
out as its start state. 

As it is standard practice in process theory, we use the more suggestive notation 
s A s' in lieu of (s,/z, s') G — Y. We also write s 4b if there is no state s' such 
that s A s'. Following |13|, we now proceed to define versions of the transition 
relations that abstract from the internal evolution of states as follows: 

e / . rr r ^ / 

s s ifi s ^ s 

8 ^ s' iff 3si, S‘ 2 . S =l> Si -4- S ‘2 s' 

where we use to stand for the reflexive, transitive closure of A-. 

Definition 2.2 (Operations on LTSs). 

- Let Ti — {Si, Actr, — >-i) (i G {1,2}) be two LTSs. The parallel composition 
of Ti and % is the LTS Ti\\% — {Si x ^ 2 , Actr, — >■), where the transition 
relation — >• is defined by the rules {p G Actr, a G Act): 

r / a r a / 

Si ^1 S]^ S 2 ^2 % Si ^1 s( S 2 ^2 S ‘2 

Si||s2 S}||S2 Si||s2 Si||S2 Si||s2 — t Si||S2 

In the rules above, and in the remainder of the paper, we use the more 
suggestive notation s || s' in lieu of (s, s'). 
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- Let T — (5,Actr,^) be an LTS and let L C Act be a set of actions. The 
restriction of T over L is the LTS T\L — (5\I/, Actr,-^), where S\L — 
{s\L I s G 5} and the transition relation is defined by the rules: 



s\L s'\L s\L s'\L 

where a,a ^ L. 

The reader familiar with |13| may have noticed that the above definitions of 
parallel composition and restriction are precisely those of CCS. We refer the 
interested reader to op. at. for more details on these operations. 

Hennessy-Milner Logic with Recursion In their seminal study |7|, Hen- 
nessy and Milner gave a logical characterization of bisimulation equivalence |14| 
(over states of image-finite LTSs) in terms of a (multi-)modal logic which has 
since then been referred to as Hennessy-Milner Logic (HML) . For the sake of com- 
pleteness and clarity, we now briefly review a variation of this property language 
for concurrent processes which contains operations for the recursive definition 
of formulae — a feature that dramatically increases its expressive power. The 
interested reader is referred to, e.g., [10] for more details. 

Definition 2.3. Let Var be a countably infinite set of formula variables, and let 
nok denote an action symbol not contained in Act. The collection HML(Var) of 
formulae over Var and Act U {nok} is given by the following grammar: 

<j> ::= tt|ff|d’Vd’|d’Ad’| (a)d> | [o(]4’ | X | min(X, d>) | max(X, (p) 

where a G Act U {nok}, X is a formula variable and min(X, (f>) (respectively, 
max(X, ip)) stands for the least (respectively, largest) solution of the recursion 
equation X = ip. 

We use SHML(Var) (for ‘safety HML’) to stand for the collection of formulae 
in HML (Var) that do not contain occurrences of V, (a) and min(X, <f>). 

A closed recursive formula of HML(Var) is a formula in which every formula 
variable X is bound, i.e., every occurrence of X appears within the scope of 
some min(X, d>) or max(X, d’) construct. A variable X is free in the formula d* if 
some occurrence of it in d’ is not bound. For example, the formula max(X, X) is 
closed, but min(X, [a]Y) is not because Y is free in it. The collection of closed 
formulae contained in HML(Var) (respectively, SHML(Var)) will be written HML 
(resp. SHML). In the remainder of this paper, every formula will be closed, 
unless specified otherwise, and we shall identify formulae that only differ in the 
names of their bound variables. For formulae 4> and tp, and a variable X, we 
write (pl-ip/X} for the formula obtained by replacing every free occurrence of X 
in d’ with tp. The details of such an operation in the presence of binders are 
standard (see, e.g., [15]), and are omitted here. 

Given an LTS T = (S, Actr, — >■), an environment is a mapping p : Var -p- 2'^. 
For an environment p, variable X and subset of states S, we write p[X i->- S] for 
the environment mapping X to S, and acting like p on all the other variables. 
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Definition 2.4 (Satisfaction Relation). Let T — (<S,Actr,^^) be an LTS. 
For every environment p and formula p contained in HML(Var), the collection 
of states in S satisfying the formula p with respect to p is defined by 
structural recursion on p thus: 



[ff]p 0 

Ipi V p-z} Ipijp u 

[pi A pzj IPijp n [<^21 p 

[[a]p\ I for every s' , s ^ s' implies s' G 

lX}p^^p{X) 

|min(X, p)\p Pi {5 I ht- 5] C 5} 

[max(A, p)}p =*' y {S I S C lplp[X ^ S]} . 



The interested reader will find more details on this definition in, e.g., [10]. Here 
we just confine ourselves to remarking that, as the interpretation of each formula 
<t> containing at most X free induces a monotone mapping |d>] : 2*^ ^ 2*^, the 
closed formulae min(A, <f>) and max(A, <f>) are indeed interpreted as the least and 
largest solutions, respectively, of the equation X = <f>. If is a closed formula, 
then the collection of states satisfying it is independent of the environment p, 
and will be written [yj]. In the sequel, for every state s and closed formula p, 
we shall write s^ p (read ‘s satisfies p') in lieu of s G [y?]. 

When restricted to SHML, the satisfaction relation ^ is the largest relation 
included in 5 x SHML satisfying the implications in Table 1. A relation satisfying 
the defining implications for |= will be called a satisfiability relation. It follows 
from standard fixed-point theory |16| that, over S x HML, the relation |= is the 
union of all satisfiability relations and that the above implications are in fact 
biimplications for |=. 

Remark. Since nok is not contained in Act, every state of an LTS trivially 
satisfies formulae of the form [nok]d>. The role played by these formulae in the 
developments of this paper will become clear in Sect. 3.2. Dually, no state of an 
LTS satisfies formulae of the form (nok)^?. 

Formulae <t> and tp are logically equivalent (with respect to (=) iff they are satisfied 
by the same states. We say that a formula is satisGable iff it is satisfied by at 
least one state in some LTS, otherwise we say that it is unsatisGable. 



3 Testing Formulae 

As mentioned in Sect. 1, the main aim of this paper is to present a complete 
characterization of the class of testable properties of states of LTSs that can 
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s 1= It 
S 1= ff 

s 1 = (^1 A <^2 

s 1= max(X, ifi) 



true 

false 

s 1= (^1 and s 1= <^2 
Vs', s ^ s implies s' (p 
s 1= (^{max(X, (^)/X} 



Table 1. Satisfaction implications 



be expressed in the language HML. In this section we define the collection of 
tests and the notion of property testing used in this study. Informally, testing 
involves the parallel composition of the tested state with a test. Following the 
spirit of the classic approach of De Nicola and Hennessy [4, 6], we say that the 
tested state fails a test if the distinguished reject action nok can be performed 
by the test while it interacts with it, and passes otherwise. The formal definition 
of testing then involves the definition of what a test is, how interaction takes 
place and when the test has failed or succeeded. We now proceed to make these 
notions precise. 

Definition 3.1 (Tests). A test is a finite, rooted LTS over the set of actions 
Actr U {nok}. 

In the remainder of this study, tests will often be concisely described using the 
regular fragment of Milner’s CCS |13| given by the following grammar: 

T ::= 0 I a.T I T + T I X I fix(X = T) 

where a € Actr U {nok}, and X ranges over Var. As usual, we shall only be 
concerned with the closed expressions generated by the above grammar, with 
fix(X = T) as the binding construct, and we shall identify expressions that only 
differ in the names of their bound variables. In the sequel, the symbol = will 
be used to denote syntactic equality up to renaming of bound variables. The 
operation of substitution over the set of expressions given above is defined ex- 
actly as for formulae in HML (Var). The operational semantics of the expressions 
generated by the above grammar is given by the classic rules for CCS. These are 
reported below for the sake of clarity: 

Ti4T{ T- 2 ^T.^ T{fix(X = T)/X} 4 T' 

a.T 4 T Ti -L I 2 4 T( 4 -L T 2 4 fix(X = T) 4 T' 

where a is either nok or an action in Actr. The intention is that the term T 
stands for the test whose start state is T itself, whose transitions are precisely 
those that are provable using the above inference rules, and whose set of states 
is the collection of expressions reachable from T by performing zero or more 
transitions. We refer the reader to |13| for more information on the operational 
semantics of CCS. 
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Definition 3.2 (Testing Properties). Let iphe d. formula in HML, and let T 

be a test. 

- A state s of an LTS passes the test T iff (s 1 1 root (T))\ Act Otherwise we 

say that s fails the test T. 

- We say that the test T tests for the formula ip (and that ip is testable) iff for 
every LTS T and every state s of T, s |= iff s passes the test T. 

- Let £ be a collection of formulae in HML. We say that C is testable iff each 
of the formulae in £ is. 

Example 3.3. The formula [o]ff states that a process does not afford a 4^- 
transition. We therefore expect that a suitable test for such a property is 
T = o.nok.O. Indeed, the reader will easily realize that (s||T)\Act ^ iff s =4, 
for every state s. The formula [a]ff is thus testable, in the sense of this paper. 

The formula max(X, [o]ff A [6] A") is satisfied by those states which cannot per- 
form a =4-transition, no matter how they engage in a sequence of =4-transitions. 
A suitable test for such a property is fix(A = d.nok.O -T h.X), and the formula 
max(A, [a]ff A [6]A) is thus testable. 

As already stated, our main aim in this paper is to present a characterization of 
the collection of HML-properties that are testable in the sense of Defn. 3.2. To 
this end, we begin by providing evidence to the effect that not every property- 
expressible in HML is testable. 

Proposition 3.4 (Two Negative Results). 

1. Let 4> be a formula in HML. Suppose that (f is satisfiable. Then, for every 
aetion a in Act, the formula {a)4> is not testable. 

2. Let a and h be two distinet notions in Act. Then the formula [o]ff V [b]S is 
not testable. 

Remark. If p is unsatisfiable, then the formula {a)p is logically equivalent to 
ff. Since ff is testable using the test nok.O, the requirement on p is necessary 
for Propn. 3.4(1) to hold. Note moreover that, as previously remarked, both the 
formulae [o]ff and [b]S are testable, but their disjunction is not (Propn. 3.4(2)). 

Our aim in the remainder of this paper is to show that the collection of testable 
properties is precisely SHML. This is formalized by the following result. 

Theorem 3.5. The colleetion of formulae SHML is testable. Moreover, every 
testable property m HML can be expressed m SHML. 

The remainder of this paper will be devoted to a proof of the above theorem. In 
the process of developing such a proof, we shall also establish some results per- 
taining to the expressive power of SHML which may be of independent interest. 
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3.1 Testability of SH ML 

We begin our proof of Thm. 3.5 by showing that the language SHML is testable. 
To this end, we define, for every open formula <t> in the language SHML(Var), a 
regular CCS expression by structural recursion thus: 



T, =*'nok.O 



def ^ 

[a]0 — 4 > 

Tx=X 
def , 



■ T Ttiax(X,d>) — fix(A" — T^) . 



For example, if = max(A, [o]ff A [6]A) then is the test fix(A = r.a.nok.O + 
T.b.X). We recall that we identify CCS descriptions of tests that only differ in 
the name of their bound variables since they give rise to isomorphic LTSs. Our 
order of business in this section will be to show the following result: 

Theorem 3.6. Let <t> be a closed formula contained in SHML. Then the test 
tests for it. 



In the proof of this theorem, it will be convenient to have an alternative, novel 
characterization of the satisfaction relation for formulae in the language SHML. 
This we now proceed to present. 

Definition 3.7. Let T = (5, Actr, — >■) be an LTS. The satisfaction relation |=g 
is the largest relation included in 5 x SHML satisfying the following implications: 



S |=e tt 
S (=e ff 
S (=e A (fi2 
s \=s [a]ip 
s |=e max(A, ip) 



true 

false 

s' |=e Pi and s' |=e P 2 , for every s' such that s ^ s' 

s ^ s' implies s' p, for every s' 

s' |=e p{ma.-x.{X,p)/X), for every s' such that s ^ s' 



A relation satisfying the above implications will be called a weak satisfiability 
relation. 

The satisfaction relation is closed with respect to the relation 4>, in the sense 
of the following proposition. 

Proposition 3.8. Let T — (5, Actr,— a) be an LTS. Then, for every s £ S 
and G SHML, s 1=,. y: iff s' p, for every s' such that s ^ s' . 

Proof The only interesting thing to check is that if s (=e 99 and s ^ s', then 
■s' |=e p. To this end, it is sufficient to prove that the relation TZ defined thus: 

TZ {(s,99) I t p and t 4> s} 



is a weak satisfiability relation. The straightforward verification is left to the 
reader. □ 
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We now proceed to establish that the relations (=e and |= coincide for formulae 

in SHML 

Proposition 3.9. Let 4> be a formula contained in SHML. Then, for every state 
8 of an LTS, s (f> iff 8 (f>. 

In the proof of Thm. 3.6, it will be convenient to have at our disposal some 
further auxiliary results. For ease of reference, these are collected in the following 
lemma. 

Lemma 3.10. 

1. Let 4> be a formula in SHML. Assume that T,f, Then (f> is logically 
equivalent to ff. 

2. Let 4> be a formula in SHML. Assume that T,f, ^ T. Then there are formulae 
4>i and (p 2 m SHML such thatT = and 4> is logically equivalent to 4>i/\<f)2- 

3. Let <j> be a formula in SHML. Assume that A T. Then there is a formula 
tp in SHML such that T = T^, and p is logically equivalent to 

Using these results, we are now in a position to prove Thm. 3.6. 

Proof of Thm. 3.6: In light of Propn. 3.9, it is sufficient to show that, for 
every state 8 of an LTS and closed formula <t> G SHML, 

8 (j) iS i8\\T4,)\Act"^ . 

We prove the two implications separately. 

- ‘If Implication’. It is sufficient to show that the relation 

TZ=^ I (s||T,^)\Act“# and P G SHMlJ 

is a weak satisfiability relation. The details of the proof are left to the reader. 

- ‘Only If Implication’. We prove the contrapositive statement. To this 
end, assume that 



(s||T^)\Act 4 (/||T')\Act 

for some state s' and test T'. We show that s d’ holds by induction on 
the length of the computation (s||T’^)\Act 4 (s'||T')\Act. 

♦ Base Case: (s||T’^)\Act = (s'||T')\Act In this case, we may in- 
fer that T,f, By Lemma 3.10(1), it follows that (f> is unsatisfiable. 
Propn. 3.9 now yields that s (j>, which was to be shown. 

♦ Inductive Step: (s||T,^)\Act 4 (s"||T")\Act 4 (s'||T')\Act '4', for 
some state s" and test T”. We proceed by a case analysis on the form 
the transition 

(s||T^)\Act4 (s"||T")\Act 



may take. 
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* Case: s ^ s" and T" = T^. In this case, we may apply the inductive 
hypothesis to infer that s" 4>- By Propn. 3.8, it follows that 
8 which was to be shown. 

* Case: ^ T” and s = s" . By Lemma 3.10(2), it follows that d* is 

logically equivalent to 4>i A(j>2 for some formulae </>i and (f>2 in SHML, 
and that T" = . By induction, we may now infer that s ■ 

Since (f> is logically equivalent to d’l A (j>2, this implies that 8 4> 

(Propn. 3.9), which was to be shown. 

* Case: s A s" and A- T" , for some action a £ Act. By 
Lemma 3.10(3), it follows that 4> is logically equivalent to [a]ip for 
some formula tp in SHML, and that T" = T^. By induction, we may 
now infer that s" '>P- Since (p is logically equivalent to [a]ip and 
8 A- 8" Ae P’-, this implies that 8 (Propn. 3.9), which was to be 
shown. 

This completes the inductive argument, and the proof of the ‘only iP 
implication. 

The proof of the theorem is now complete. □ 

3.2 Expressive Completeness of SHML 

We have just shown that every property ip which can be expressed in the language 
SHML is testable, in the sense of Defn. 3.2. We now address the problem of the 
expressive completeness of this property language with respect to tests. More 
precisely, we study whether all properties that are testable can be expressed in 
the property language SHML — in the sense that, for every test T, there exists 
a formula tpT in SHML such that every state of an LTS passes the test T if, 
and only if, it satisfies ipr- Our aim in this section is to complete the proof 
of Thm. 3.5 by arguing that the language SHML is expressive complete, in the 
sense that every test T may be expressed as a property in the language SHML 
in the precise technical sense outlined above. This amounts to establishing an 
expressive completeness result for SHML akin to classic ones presented in, e.g., 
|9, 5, 17|. In the proof of this expressive completeness result, we shall follow an 
indirect approach by focusing on the compositionality of a property language £ 
with respect to tests and the parallel composition operator ||. As we shall see 
(cf. Propn. 3.13), if a property language £, that contains the property [nok]ff, 
is compositional with respect to tests and || (cf. Defn. 3.12) then it is expressive 
complete (cf. Defn. 3.11). We shall show that SHML is compositional with 
respect to tests and ||, and obtain the expressive completeness of such a language 
as a corollary of this stronger result. 

We begin with some preliminary definitions, introducing the key concepts of 
compositionality and (expressive) completeness. 

Definition 3.11 (Expressive completeness). Let £ be a collection of for- 
mulae in HML. We say that £ is (expressive) eomplete (with respect to tests) if 
for every test T there exists a formula pr £ £ such that, for every state s of an 
LTS, s 1= iff s passes the test T . 
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Compositionality, on the other hand, is formally defined as follows: 

Definition 3.12 (Compositionality). Let £ be a collection of formulae in 
HML. We say that £ is compositional (with respect to tests and ||) if, for every 
e £ and every test T, there exists a formula (p/T e £ such that, for every 
state s of an LTS, s || root(T) |= 99 iff s |= ip/T. 

Intuitively, the formula p/T states a necessary and sufficient condition for state 
8 to satisfy p when it is made to interact with the test T. 

Our interest in compositionality stems from the following result that links it 
to the notion of completeness. In the sequel, we use £nok to denote the property- 
language that only consists of the formula [nok]ff. (Recall that nok is a fresh 
action not contained in Act.) 

Proposition 3.13. Let C he a collection of formulae in HML that includes £nok- 
Suppose that £ is compositional. Then £ is complete with respect to tests. 

Proof. Consider an arbitrary test T. We aim at exhibiting a formula 4>t G £ 
meeting the requirements in Defn. 3.11. Since £ is compositional and contains 
the formula [nokjff, we may define px to be the formula ([nok]ff)/T. Let 8 be 
an arbitrary state of an LTS. We can now argue that s passes T iff it satisfies 
4>t thus: 



s passes the test T iff (s||root(T))\Act ^ 

iff (s||root(T))\Act |= [nok]ff 
iff (s||root(T)) 1= [nok]ff 
(As nok ^ Act) 
iff s (= ([nok]ff)/T 

(As £ is compositional) 
iff s (= pt ■ 



This completes the proof. □ 

As we shall now show, SHML is compositional with respect to tests and ||, and 
thus expressive complete with respect to tests. We begin by defining a quotient 
construction for formulae of SHML, in the spirit of those given for different 
property languages and over different models in, e.g., [12, 3, 11]. 

Definition 3.14 (Qnotient Constrnction). Let T be a test, and let t be one 

of its states. For every formula p SHML, we define the formula p/t (read V 
quotiented by f) as shown in Table 2. 

Some remarks about the definition presented in Table 2 are now in order. The 
definition of the quotient formula presented ibidem should be read as yielding 

a finite list of recursion equations, over variables of the form ip/t', for every 
formula p and state t of a test. The quotient formula p/t itself is the component 
associated with p/t in the largest solution of the system of equations having p/t 
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{411 A 4 - 2 )/t = 4 i/t A 42 /t 

i[a]4)/t^^^[a]Wt)A /\ A H(([«WA') 

max(X, 4) h ((/>{max(X, 4)/X})/t 



Table 2. Quotient construct for SHML 



as leading variable. For instance, if (p is the formula [a]ff and t is a node of a 

test whose only transition is t A t, then, as the reader can easily verify, p/t m 
the largest solution of the recursion equation: 

‘P/i [o]ff A [h]{iplt) 

which corresponds to the formula max(X, [a]ff A [b]X) in the property language 
SHML, This formula states the, intuitively clear, fact that a state of the form 
s II t cannot perform a A-transition iff s cannot execute such a step no matter 
how it engages in a sequence of synchronizations on b with t. Note that the 
quotient of a recursion-free formula may be a formula involving recursion. It 
can be shown that this is inevitable, because the recursion-free fragment of 
SHML is not compositional. Finally, we remark that, because of our finiteness 
restrictions on tests, the right-hand side of the defining equation for ([a]d’)/t is 
a finite conjunction of formulae. 

The following key result states the correctness of the quotient construction. 

Theorem 3.15. Let p be a elosed formula in SHML. Suppose that s is a state 
of an LTS, and t is a state of a test. Then s\\t \= ip iff s \= p/t. 

Proof We prove the two implications separately. 

- ‘Only If Implication’. Consider the environment p mapping each variable 
p/t in the list of equations in Table 2 to the set of states {s | s||t |= p}. We 
prove that p is a post-fixed point of the monotonic functional on environ- 
ments associated with the equations in Table 2, i.e., that if s G p(4/t) then 
s G Mp, where tp is the right-hand side of the defining equation for 4/t- 
This we now proceed to do by a case analysis on the form the formula p may 
take. We only present the details for the most interesting case in the proof. 

♦ Case: p = [a]i/?. Assume that s||t |= [a]ip. We show that state s 
is contained in |^]p for every conjunct f in the right-hand side of the 
defining equation for {[a]'tp)/t. 
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* Case: ^ = [a]{'tp/i). To show that s G [^]p, it is sufficient to prove 

that s' G for every s' such that s ^ s' . To this end, we 

reason as follows: 

s ^ s' implies s\\t ^ /||t 
implies s'\\t \= ip 

(As s||t 1= [a]ip) 
iff s' G p(ip/t) 

(By the definition of p) 
iff s' G {ip/tjp . 

* Case: P = ip/t' with t t' . To show that s G [^]p, it is sufficient 

to prove that s G \ip!t'Jp, for every t' such that t t'. To this end, 
we reason as follows: 

t ^ t' implies s||t s||t' 
implies s||t' |= ip 

(As s||t (= [a]ip) 
iff s G p(ip/t') 

(By the definition of p) 
iff s G [ip/t'jp . 

* Case: P = \P]{i[o-]'>P) /t') with t t' . To show that s G [C]p, it 
is sufficient to prove that s' G |([a]t/:)/t']p, for every s' such that 

s ^ s' . To this end, we reason as follows: 

s ^ s' and t ^ t' imply s||t s'\\t' 
implies s'\\t' (= [a]ip 

(By Propns. 3.8 and 3.9, as s||t (= [a]ip) 
iff s' £ p{{[a]ip)lt') 

(By the definition of p) 
iff / G l{[o]ip)lt'}p . 

The proof for the case <p = [a\ip is now complete. 

- Te Implication’. Consider the relation K defined thus: 

n‘^= {{s\\t, ip) I s 1= p/t} . 

It is not hard to show that 7?. is a satisfiability relation. 

The proof of the theorem is now complete. □ 

Corollary 3.16. The property language SHML is compositional with respect to 
tests and the parallel composition operator ||. 
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Proof. Given a property G SHML and a test T, define (p/T to be the formula 
(p/root{T) given by the quotient construction. The claim is now an immediate 
consequence of Thm. 3.15. □ 

Theorem 3.17. The property language SHML is expressive complete. 

Example 3.18. Applying the construction in the proof of Propn. 3.13, and the 
definition of the quotient formula to the tests 

T\ = fix(X = d.nok.O + b.X) and 
T ‘2 = fix(X = r.a. nok.O + T.b.X) 

yields that the formula tested by both Ti and T-z is max(X, [o]ff A [b]X). 

Collecting the results in Thms. 3.6 and 3.17, we have now finally completed 
the proof of Thm. 3.5. Thus, as claimed, the collection of testable properties 
coincides with that of the properties expressible in SHML. The following result 
gives another characterization of the expressive power of SHML which has some 
independent interest. 

Theorem 3.19. The property language SHML is the least expressive extension 
of Tnok that is compositional with respect to tests and ||. 

Proof. Assume that £ is a property language that extends £nok and is compo- 
sitional. We show that every property in SHML is logically equivalent to one in 
£, i.e., that £ is at least as expressive as SHML. To this end, let be a property 
in SHML. By Thm. 3.6, there is a test such that s (= iff s passes the 
test for every state s. Since £ is an extension of £nok that is compositional, 
Propn. 3.13 yields that £ is complete. Thus there is a formula ip £ C such that 
s ^ t/? iff s passes the test T^, for every state s. It follows that ip and (p are 
satisfied by precisely the same states, and are therefore logically equivalent. □ 
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Abstract. A strong (C) logic programming language ([14,15]) is given by two sub- 
classes of formulas {programs and goals) of the underlying logic C, provided that: 
firstly, any program P (viewed as a T-theory) has a canonical model Mp which is 
initial in the category of all its £-models; secondly, the ^-satisfaction of a goal G in 
M p is equivalent to the £-derivability of G from P, and finally, there exists an effective 
(computable) proof-subcalculus of the /1-calculus which works out for derivation of 
goals from programs. In this sense, Horn clauses constitute a strong (first-order) logic 
programming language. Following the methodology suggested in [15] for designing logic 
programming languages, an extension of Horn clauses should be made by extending its 
underlying first-order logic to a richer logic which supports a strong axiomatization of 
the extended logic programming language. A well-known approach for extending Horn 
clauses with cm, bedded implications is the static scope programming language presented 
in [8]. In this paper we show that such language can be seen as a strong logic 

programming language, where PO^ is a very natural extension of first-order logic with 
intuitionistic implication. That is, we present a new characterization of the language 
in [8] which shows that Horn clauses extended with embedded implications, viewed as 
IFC* ^-theories, preserves all the attractive mathematical and computational properties 
that Horn clauses satisfy as first-order-theories. 



1 Introduction 

Horn clause programs are theories in first-order logic (namely PO) whose computation 
relation (between programs and goals) is equivalent to the following relations of PO: 
logical consequence, derivability and satisfaction in the least Herbrand model of the 
program. Moreover, the least Herbrand model of a program is initial in the category 
of all first-order models of the program and it exactly satisfies the goals which are 
satisfied in every model in this category. In other words, Horn clauses can be seen 
as a PO logic programming language, in the strong sense of [14, 15], because its un- 
derlying logic PO has attractive (model-theoretic) mathematical and (proof-theoretic) 
computational properties (for programs and goals). This idea was formalized in [14, 15] 
where the notion of a strong logic programming language is defined as a restriction of 
an underlying logic satisfying good properties. This means, once fixed an underlying 
logic, setting which subclasses of its formulas correspond to the classes of programs and 
gueries or goals, respectively. The underlying logic, for these subclasses, must satisfy 
three properties: mathematical semantics, goal completeness and operational seman- 
tics. The mathematical semantics property requires that any program has a canonical 
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Thomas (Ed.): FOSSACS’99, LNCS 1578, pp. 56-72, 1999. 
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model, which is initial in the class of all models of the program (seen as a theory in 
the underlying logic). Goal completeness means that logical satisfaction of goals in 
the initial model is equivalent to the derivability relation (of the logic) restricted to 
programs and goals. The operational semantics property means the existence of an ef- 
fective (computable) proof-subcalculus of the calculus (of the logic) for deriving goals 
from programs. We believe that this view of axiomatizing a logic programming lan- 
guage inside an underlying logic has many advantages. On one hand, it allows one to 
separate general logical features from programming language features. On the other 
hand, a useful way to analyse, compare and integrate different programming features 
is to axiomatize them into a common underlying logic. 

Attempts to extend Horn clause logic programming (e.g. with modules, higher-order, 
data abstraction, etc.) should be done by preserving (as much as possible) the above- 
mentioned mathematical and computational properties. Since Horn clause logic is the 
greatest fragment of TO admitting initial models, concrete extensions could require 
to change (by restricting or enriching) the underlying logic TO. Many approaches are 
concerned with extending Horn clauses with some features for program structuring 
that can be seen as a form of modularity in logic programming (see for instance [2] 
for a survey). Some of them consider the extension of Horn clauses with implication 
goals of the form D D G, called bhcks, where D can be seen as a IcxmI set of clauses 
(or module) for proving the goal G. This approach yields to different extensions of 
Horn clause programming depending on the given semantics to such blocks. A first 
basic distinction is between closed blocks: G can be proved only using local clauses 
from D, and open bhc:ks: G can be proved using D and also the external environment. 
Therefore, open blocks require scope rules to fix the interplay between the predicate 
definitions inside a module D and those in the environment. In general, dealing with 
open blocks, a module can extend the definition of a predicate already defined in 
the enviroment. Hence, different definitions of the same predicate could have to be 
considered, depending on the collection of modules corresponding to different goals. 
There are mainly two scope rules, named static and dynamic, allowing this kind of 
extension of predicate definitions. In the dynamic approach the set of modules taking 
part in the resolution of a goal G can only be determined from the sequence of goals 
generated until G. However, in the static case this set of modules can be determined 
(for each goal) statically from the block structure of the program. Different proposals of 
logic programming languages for open blocks with dynamic scope have been presented 
and studied in several papers (e.g. [4-6, 16-18]). The static scope approach has been 
mainly studied in [8,7]. In [2,7] both different approaches are compared. Some other 
works (e.g. [19,20]) treat open blocks with different scope rules avoiding this kind of 
predicate extension. 

In [16] Miller proves that the proof-theoretic semantics for its dynamic scope program- 
ming language is based on intuitionistic logic, and in [2] it is shown that the Miller’s 
canonical model for a program is indeed an intuitionistic model of this program. How- 
ever, for the static scope programming language introduced in [8], neither first-order 
logic nor intuitionistic logic can be used for this purpose. Following the methodology 
suggested in [15] for designing logic programming languages, the extension of Horn 
clauses with intuitionistic implication should be strongly axiomatized in a logic which 
integrates TO and intuitionistic implication. In this paper we introduce a complete 
logic called TO^ , which is a very natural extension of TO with intuitionistic implica- 
tion. We give a new characterization of the well-known semantics for the static scope 
programming language presented in [8] . This characterization strongly axiomatizes the 
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logic programming language inside TO^ logic, showing that it satisfies all the desirable 
properties. 

The paper is organized as follows: In Section 2 we introduce the formalization of [14, 
15] for a strong logic programming language which is the methodological basis for our 
work. In Section 3 we give a short introduction to the underlying logic giving 

the necessary notions and results for the rest of the paper. In Section 4 we develop the 
TO^ strong axiomatization of the static scope programming language. We conclude, 
in Section 5, by summarizing the presented results and related work. 



2 Preliminaries 

In this section, we introduce the notions of logic and strong logic programming language, 
following [14, 15]. 

The notion of a logic is obtained by combining an entailment system (formalizing the 
proof-theoretical component of a logic) with an institution (formalizing the model- 
theoretical component) such that a soundness condition relating provability and satis- 
faction holds. An entailment system is a triple (Sign, sen, h) with Sign a category of 
signatures, sen a functor associating to each S G Sign a set sen (17) of 17-sentences and 
h a function associating to each S G Sign a binary relation 'P(sen(I7)) x sen(I7), 
called I7-entailment or I7-derivability, which satisfies the properties of refiexivity, mono- 
tonicity, transitivity and h-translation (i.e. preservation by signature morphisms). An 
institution is a 4-tuple ( Sign , sen. Mod . |=) with Sign and sen as above; Mod is a func- 
tor associating to each 2J G Sign a corresponding category Mod (I7') whose objects are 
called 17-structures (or 17-models) and whose morphisms preserve the interpretation 
given to signature symbols; and |= is a function associating to each S G Sign a binary 
relation Mod (I7) x sen(I7), called 17-satisfaction, which satisfies the |=-invariance 

property (i.e. for any M 2 G Mod (I7>). H : Si ^ S 2 , p G sen(I7i): Mod (H)(M>) (p 
iff Given F C sen(I7), Mod fD denotes the full subcategory of Mod(I7) 

determined by the structures M G Mod (I7') such that M |=5: p for each p £ F. The 
satisfaction relation induces a logical consequence relation between sets of sentences 
and sentences, also denoted |=, as follows: F p iff M for each M G Mqd(F). 

A logic is given by an entailment system and an institution sharing the same signatures 
and sentences, such that it holds soundness of the derivability relation w.r.t. the logical 
consequence relation. A logic is a 5-tuple £=(Sign, sen. Mod , h, |=) such that: 

^ (Sign, sen, h) is an entailment system 

^ (Sign, sen. Mod . |=) is an institution 

^ For any S G Sign, F C sen(I7) and p G sen(I7), F \~s p F p (Soundness). 
In addition, there are some other useful properties that a logic could satisfy, like com- 
pleteness, compactness, etc. 

Ihom the axiomatic point of view, a strong logic programming language is a 4-tuple 
CVC= (C, Sign', prog, goal) with: 

— £=(Sign, sen. Mod , h, |=) a logic, namely the underlying logic of CVC 

— Sign' a subcategory of Sign 

^ is a functor associating to each S G Sign' a set pirog(S) (of 17-programs) 

included in V fi„(sen(S)) 

— goal is a functor associating to each S G Sign' a set of 17-goals, goal(S) C sen(I7) 
such that the following properties are satisfied: 
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1. Mathematical Semantics: Each program P £ prog{2J) has a model Mp which is 
initial in the category Mod(P) of all models in Mod f-S'l satisfying P 

2. Goal Completeness (w.r.t. the initial model): For any program P £ pirog(S) and 
any goal G £ goal(S)., P \~s G <=^ Mp |=5: G 

3. Operational Semantics: Existence of an effective proof subcalculus for the deriv- 
ability relation |-£ restricted to pirog(S) x goal(S). 



3 The Logic 

In this section we introduce the sound and complete logic IFO^ which extends classi- 
cal first-order logic with intuitionistic implication. We present its language, semantical 
structures, logical consequence relation, derivability relation and some other details 
which are relevant to understand the rest of the paper. A more detailed presentation 
of this logic is out of the scope of this paper and it can be found in [11], in particular 
there it is proved soundness and completeness of IFO^ logic. 

A signature 2J £ Sign consists of countable sets FSs of function symbols, and PSs 
of predicate symbols, with some specific arity for each function and predicate sym- 
bol. We also assume a countable set VSs of variable symbols. We denote by Ts the 
set of all well-formed first-order H-terms. A term is closed if no variable symbol does 
occur on it. Well-formed 17-formulas are built, from atomic ones, using classical con- 
nectives (^, A, V, ^), intuitionistic implication (d), and classical quantifiers (V, 3). FLee 
and bound variables and substitution have the usual definitions, sen (17) is the set of 
17-sentences, that is, 17-formulas with no free variables. We will denote formulas by 
lowercase Greek letters (^, y, . . .. The uppercase Greek letters P and # (probably 
with sub- and superscripts) will be used as metavariables for sets of formulas. Model 
theory is based on Kripke structures ([21]). 

Definition 1. A Kripke S-structure is a triple K = {W{K) ^ {Avj)w(iW{K)) where 
iW{K),<) is a non-empty partially ordered set (of worlds) and each Aw is a first- 
order 17-structure (with universe A„, over which predicate and function symbols are 
interpreted) such that for any pair of worlds v <w in W (K): 

~ 

^ I for all p £ PSs 

- (ai, . . . , a„) = (ai, . . . , a„), for all ai, . . . , a„ £ A,, and / £ FSs- ■ 

Mqd(I7) will denote the category whose objects are Kripke 17-structures. The mor- 
phisms in this category will be given in Definition 6. 

We denote by f" the classical first-order interpretation of t £ Ts- Terms inter- 
pretation behaves monotonically, that is, for any Kripke-structure K and any pair of 
worlds v,w £ W{K) such that v < w: = P £ A,, C Aw- The satisfaction of sentences 

in worlds is handled by the following forcing relation: 

Definition 2. Let K £ Mod fI7'). the binary forcing relation IhC W{K) x sen(I7) is 
inductively defined as follows: 

w 1/ F 

W Ih p(tl, ...An) iff (tl: ...At)€ p^ 
w II — iff w Ij^ 

w Ih A 'i/j iff w Ih and w\\- fy 
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w Ih V iff w Ih or w Ih 
w Ih ^ iff if w Ih then w\\-tp 

w Ih D 'i/j iff for all v € W(K) such that v w: it v \\- ip then v\\~ tj) 
w Ih 3xp iff w Ih p{d/x) for some a € Ayj ^ 
w Ih Vxp iff w Ih p{d/x) for all a € Ayj. ■ 

We will write w,K \\- p (instead of w Ih p) whenever confusion on the structure K may 
occur. This forcing relation gives a non-intuitionistic semantics to negation, classical 
implication (^) and universal quantification; as a consequence, the forcing relation 
on sentences does not behave monotonically w.r.t. the world ordering. We say that a 
sentence is persistent whenever the forcing relation behaves monotonically for it. 

Definition 3. A 17-sentence p is persistent iff for any K € Mod (I7) and w € W (K)\ 
a w\\- p then v\\-p for any v € W{K) such that v'^ w. ■ 

Persistent sentences play an important role in the 7P(P^-axiomatization of logic pro- 
gramming languages with embedded implications, since there is a subclass of persistent 
sentences (that can be syntactically delimited) which includes the class of goals. 

Proposition 4. Any atomic: sentenee is persistent. Any sentenee p D ip is persistent. 
If p and Ip are persistent sentenees, then pV ip and p A ip are persistent. If p(d) is a 
persistent sentenee, then 3xp is persistent. 

Proof. For atoms the property is a trivial consequence of the Kripke structure defini- 
tion. For intuitionistic implication it is also trivial from forcing relation definition. The 
other two cases are easily proved, by induction, using the forcing relation definition for 
V, A and 3. ■ 

The satisfaction relation Mod (I7) x sen(I7) requires the sentence to be forced 

(only) in the minimal worlds of the structure. This satisfaction relation induces the 
logical consequence relation, denoted by the same symbol 1=5:. 

Definition 5. Let K € Mod (I7) and P U {p} C sen(I7). We say that 

(a) A world w £ W{K) is minimal iff there does not exist v £ W{K) such that v <w 
and V ^ w. 

(b) K 1=5; p (K satisfies p) iff w Ih for each minimal world w £ W{K). 

(c) r p {p is logical consequence ofF) iS K |=5: F=> K |=£ p, for each 
K £ ModfD. ■ 

Morphisms in Mod (17) relate only minimal worlds, with the idea of preserving the 
satisfaction relation for ground atoms, in the following way: 

Definition 6. For i = 1,2, let Ki = (W(KP),<Ki; {•Ai,„),„(zw{Ki)) ^ Mod (I7) and let 
be the set of minimal worlds in W{Ki). A morphism H : Ki ^ K-z is given 
by a mapping (7h'.W{K2)™''‘ ^ W(iFi)”*’” together with a collection of first-order 
I7-homomorphisms {Hy,, : -A- ^w)„gu"(K 2 )™‘" • the mapping an is unique 

(for instance when Ki has only one minimal world) then we will identify H directly 
with its collection of first-order I7-homomorphisms. ■ 



^ The constant symbol d stands for the syntactic denotation of a (see e.g.[21]). 
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Remark 1. We recall that first-order I7-homomorphisms are mappings that preserve 
the operations and relations which (respectively) interpret function and predicate sym- 
bols. In particular they preserve ground atoms. ■ 

Actually, the above-defined 4-tuple TO^ = (Sign, sen, Mod, |=) forms an institution. 
The satisfaction relation is preserved: for each signature morphism H : S ^ S' , 
each K' £ Mod (I7') and each ip £ sen(I7), it is the case that Mod (H)(K') p> iff 
K' sen(H)(ip), where sen(iL) : sen(I7) ^ sen(I7') is the translation of sentences 
induced by H and where Mod (H) : Mod (17') ^ Mod fI7') is the forgetful functor as- 
sociated to H. This functor applies each I7'-structure K' into a 17-structure K with 
the same ordered set of worlds and it associates each first-order structure A'w into its 
forgetful first-order structure Vh(A'w)- 



Structural Rules 

(Init) /i > A if A is atomic and A € A (fL) A; F, f; A' ^ X 

(Rf) A; r, if, A' > F 

Connective Rules 



(Cut) ^ V r, p;A't>x. 

A;F;A'>x 



i^L) 

(VL) 

(AL) 



A-,r-px>jE 



A; i ; ^pt>X 

A-,r,p;A' [>x. A;r,^/>;A'>x 
A; r, V A' > X 
A;r,p,tk; A' [>x 
A;r,p /\tp;A' t>x 
(. n A-,rt>p A-,r.,ip-,A' t>x 
A;F,^^^;A'^X 



(Tf X A;F,(p> F 

A{V \> ^p 

A\>p A^ik 

A A 

p A[>tk 
A>pA^ 
r,p[>tp 



(T> X , IF y 

A-,r \> p4ip 

(3 O T;A -,r t> p A; F; A ; r A l> x iv} ^ 

W ,4. r ^ ,/,. A'- r'. A" A\> p D tp 



A-,r,pD^lj-,A'-,r';A" >x 

Quantifier Rules 



/-jr. A^r^p(c/x),A l> X f At>p(t/x) 
A; r, 3xp-, A' t>x ^ 



(PC ^■,r.,p(t/x);A' t>x 
A-,r.yxp;A' t>x 



A 3xp 

Vic/X) 

A>Wp 



Fig. 1. A sound and complete sequent calculus for TO^ . 

We will complete the definition of TO^ logic by giving a derivability relation E^C 
P(sen(I7)) X sen(I7) in terms of sequent calculus proofs. The original Gentzen’s notion 
considers sequents F \> <F whose antecedent F and consequent # are both finite (possibly 
empty) sequences of formulas. In logic, to deal with classical and intuitionistic 

implications inside the same logic, it is essential to introduce extra structure in sequent 
antecedents. That is, to achieve soundness and completeness for FO^ logic, we consider 
sequents consisting of pairs A \> p where the antecedent A is a (finite) sequence of 
(finite) sets of formulas, and the consequent p is (like in intuitionistic logic) a single 
formula. Uppercase Greek letters A, A', A", ... will be used as metavariables for 
sequences of sets of formulas. In order to simplify sequent notation: the semicolon sign 
(; ) will represent the infix operation for concatenation of sequences, F U {p} will be 
abbreviated by F, p-, and a set F will be identified with the sequence consisting of this 
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unique set. On these bases, we present a sound and complete sequent calculus for the 
logic in Figure 1 where (in quantifier rules) c stands for a new fresh constant 

symbol and t stands for a closed term. 

Notice that every rule in the calculus of Fig. 1 is a natural generalization (to sequences of 
sets in the antecedent) of some classical first-order sequent rule. Moreover, by viewing 
the antecedent as a single set of formulas, the rules for both implication connectives 
would coincide. It is also easy to see that (Rd) is the unique rule creating a new set 
in the antecedent. 

Definition 8. For any (possibly infinite) set F U {^p} C sen (17) we say that F \~e p 
iff for some finite F' C F there exists a proof of the sequent F' t> using the calculus 
in Figure 1. ■ 



In general, a proof for the sequent zl l> is a finite tree constructed using inference 
rules of the calculus, such that the root is the sequent A t> and whose leaves are 
labeled with initial sequents (in our case, these are (Init), (fL), (R,f)). In particular, 
the antecedent A may be a unitary sequence of one finite set F. We recall that hr 
is the relation induced (by the calculus in Fig.l) on the set 7^(360(17)) x sen(I7). It is 
worthwhile noting that this relation satisfies refiexivity, monotonicity and transitivity, 
although any rule in the calculus (Fig.l) does not directly correspond with them. 
Besides, the h-translation property is also satisfied. However, the extension to a relation 
between sequences of sets of formulas and formulas lacks to satisfy the former three 
properties. 



4 The Logic Programming Language HorrP 

In this section we give the strong axiomatization for the static scope program- 

ming language introduced in [8]. Its syntax is an extension of the Horn clause language, 
by adding the intuitionistic implication D in goals. We define this language as the fol- 
lowing 4-tuple FlornP — (7FC>^, Sign', prop, pool), where Sign' is the class of finite 
signatures in Sign and, for each S in Sign', pirog(S) is the set of all 17-programs, which 
are finite sets of closed D-clauses (called S-clauses), and goal(S) is the set of all closed 
G-clauses (called E- goals). D- and G-clauses are recursively defined as follows (where 
A stands for an atomic formula) : 

G:=A\GiAG2\DdG\3xG D:= A\G^ A\DiAD2\ VxD 

Following [8], we use a simple definition of the operational semantics of FlornP , given by 
a nondeterministic set of rules which define when a 17-goal G is operationally derivable 
from a program sequence A— Po;...;F,j, in symbols A hj G. Moreover, to deal with 
clauses in P € pirog(S) of the form Di A D 2 and VxD, we utilize the closure (w.r.t. 
conjunction and instantiation) set [P] of all clauses in P. This abstract definition of 
the operational semantics is more suitable to be compared with the mathematical 
semantics of FlornP . 

Definition 9. [P] is defined as the set U{[P] | D € P} where [P] is recursively 
defined as follows: [A] — {A}, [G ^ A] — {G ^ A}, [Di A D 2 ] — [Pi] U [P 2 ], 
[VaiP] = U{[P(f/a;)] | t € and t is closed}. ■ 
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(1) A hs A if A is atomic and A e [A] 

(2) p . ? A if G H- A e [Pi] and 0 < i < n 

(o) A h., Gi A h., G-2 A hs G{t/ x) A; {P} \~s G 

AKbrAiSa A h;3VG Ah, I)dG 



Fig. 2. Operational Semantics for Hornp. 



Notice that w Ih F w Ih [P] and also that all clauses in [P] match the pattern G ^ A 
(with G possibly empty for handling the case A). We extend the notation [P] to [A] by 
[Po;...;P„] = ULoI'P' i]. Now, we define A h, G by means of the rules given in Figure 2. 
In order to illustrate the operational behaviour of this language we give the Example 
10 . 



Example 10. Let the program with two clauses P — {{ib ^ c) Z) c) ^ a, b} and let 
the goal Gl = a. A proof of P h, Gl is given by the following steps (applying rules in 
Figure 2): 

P h, a by Rule (2) 

if P h, (b^ c) D c by Rule (5) 
if P; {b -P- c} \~s c by Rule (2) 

if P; {6 ^ c} h, 6 by Rule (1) since 6 € P; {6 ^ c} 

However, let now the program with a unique clause Q — {((6 ^ c) D c) ^ a} and 

let the goal G2 = b D a. The only way to obtain a proof of Q h, G2 would make the 

following steps: 

Q\-gb D a by Rule (5) 
if Q; {6} \~s a by Rule (2) 
if Q h, (6 ^ c) D c by Rule (5) 
if Q; {b ^ c} h, c by Rule (2) 
if Q; {b ^ c} h, 6 

Since the last sequent can not be proved then Q I/, G2. ■ 



This example shows the ’’static scope rule” meaning: the set of clauses which can be 
used to solve a goal depends on the program block’s structure. Whereas Gl = a can 
be proved from the program P because b was defined in P, in the case of G2 = b D a 
and the program Q the ’’external” definition of b is not permitted for proving the body 
of the clause in Q. This is a mayor difference with the ’’dynamic scope rule” used in [16]. 

In the Appendix A we prove that the proof-subcalculus h, is sound with respect to the 
PG ^-calculus when restricted to the programming language Hornp . 

In the rest of this section we show that Hornp satisfies all the desirable properties 
to be a strong PG^ logic programming language. In Subsection 4.1 we present the 
mathematical (or model) semantics and we prove the goal completeness property. The 
operational semantics is studied in Subsection 4.2, showing the equivalence between 
mathematical and operational semantics. Also completeness of h, w.r.t. the PG^- 
calculus will be proved there as a consequence of previous results. Along the whole 
section |= (respectively h) stands for the satisfaction and the logical consequence rela- 
tions 1=^ (respectively the derivability relation hi:) of PG^. 
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4.1 Mathematical Semantics and Goal Completeness 

In this subsection we first define the subcategory FMod fli’) of Mod (I7). Its objects are 
Kripke structures with Herbrand interpretations associated to worlds, with a unique 
minimal world and closed w.r.t. superset. Then, we show that to deal with Harnp 
programs (as particular iAO^-theories) the category Mqd(P) of Kripke 17-structures 
satisfying P can be restricted to the subcategory FMod (P). Notice that, for Horn 
clauses, the Herbrand models constitute the corresponding subcategory of the general 
first-order structures. We will prove the existence of a model in FMqd(P) which is 
initial in the whole category Mqd(P). Again, one can observe the parallelism with the 
least Herbrand model of Horn clauses. Finally, we will prove the goal completeness 
property w.r.t. this initial model. 

Given a signature S, Us and Bs will denote the Herbrand universe and the Herbrand 
base, respectively. Consider the complete lattice V{Bs) of all Herbrand (first-order) 17- 
interpretations over the universe Us- Any subset K of P(Bs)-, ordered by set inclusion, 
can be viewed as a Kripke 17-structure. On these structures, I,K \\- ip {or simply / IF <^) 
will denote w,K IF p for the world w whose first-order associated 17-structure is J. 

Definition 11. FMqd(I7) is the full subcategory of Mqd(I7) whose objects are the 
Kripke 17-structures {Fil(I) \ ICBs} where Fil(I) denotes the filter {J C Bs \ J 2 
/}. (FMqd(I7), C) is the partial order given by Fil{Ifi) IZ FifiLfi) iff Ji C I-z. The 
morphisms in FMod(I7) can be seen as these inclusions, that is Fil(Ii) IZ Fifil-z) is the 
morphism H £ Mqd(I7) defined by aiiiF) = Ii and the singleton {C: p ^ J 2 }. ■ 



Remark 12. Note that the morphisms H : Ki ^ K 2 with Ki £ FMqd(I7) are unique 
since: (i) Kt has only one minimal world and (ii) if A and B are first-order 17-structures 
and A is finitely generated then the I7-homomorphism A ^ P is unique. ■ 



Hence, for formulas p D ip, the forcing relation restricted to the class FMod fI7) satisfies: 
I\\-p£>fiiS for all J C Bs such that I £ Jfiif J\\~ p then J IF fi. 

Proposition 13. Let Ii,I -2 be two S -interpretations, a (possibly infinite) set 

of S -interpretations, D a S -clause and G a S-goal. 

(a) If It IF G then for all I 2 such that It C I 2 , I 2 IF G 

(b) If Ij IF P for each j £ J then fljp IF D 

Proof, (a) is a direct consequence of persistence of goals (see Proposition 4). The proof 
of (b) can be made by structural induction on D: For D — A it is trivial, since I IF A 
iff A € I. Cases D — Di A D 2 and D — 'ixDt can be easily proved by applying the 
induction hypothesis. For D — G ^ A, the case D^p IF A is trivial. Now suppose that 
Hjlj Ij^ A, then there exists j £ J such that p Ij^ A and p Ij^ G. Hence Dyp Ij^ G holds 
by (a), and therefore D/p IF G ^ A. ■ 



Proposition 14. (FMqd(I7), C) is a complete lattice with bottom Fil{$) = V(Bs). 

Proof. It is enough to define the operations U and FI for any (possibly infinite) collection 
{Fil(Ii)}i as follows: UiFil(Ii) = Fii(U,p) and n,Fil(p) = FilfiAili). ■ 
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The notion of satisfaction between elements in FMod fI7') and 17-clauses (respectively 
-goals), borrowed from the underlying logic, is given by Fil{I) |= D iff J Ih D (respec- 
tively for G). 

The class of models of a 17- program P, denoted FMod fP), is defined as FMod fP) = 
{iLeFMod(I7) I K\=P} or equivalently as {Fil{I) \ JCP^, J IF P}. FMod fP) is a full 
subcategory of FMqd(I7). 

Proposition 15. There exists a least element Mp in FMod fP) with respeet to C, 

Proof. FMod fP) is not empty since Fil(Bs) — {Pr:} satisfies P. As a consequence 
of Proposition 13(b), the intersection (FI) of elements in FMod fP) is an element of 
FMod fP). Then Mp — n{if eFMqd(I7) | if|=P} belongs to FMod fP) and it is the 
least element w.r.t. Q. Moreover, Mp — Fil(Ip) with Ip — n{J C Bs | I IF P}. B 



Then, M p is the initial object in the category FMod fP) . Now, we will prove the initiality 
of Mp in the (more general) category Mod fP). Then, following [15], the denotation 
function P ep Mp is called the rnathernatieal sernanties of Horrp. 

Definition 16. A 17-program P is satisfiable (respectively F-satisfiable) iff there exists 
K e Mod fI7) (respectively K e FMod fI7)) such that if |= P. ■ 



Lemma 17. For eaeh K € Mod fI7) there exists Ik € V{Bs) (therefore FU{Ik) € 
FMod fI7 ) ) sueh that, for every S-elause D and every S-goal G: 

(a) If K D then FU{Ik) |= D 

(b) If FU{Ik) h G then K G 

Moreover, there exists a unique morphism Hk :FU{Ik) M K, 

Proof. Let K = (W{K),<, {Au,)w(ew{k))- We consider, for each w € W{K), the H- 
interpretation = {p(ti, ...,t„) £ Bs \ w,K IF p(ti, ..., t„)} and let Ik = l^{Iw \ w € 
W{K)}. That is, Ik — {p(ti, ■■■,t„) £ Bs \ K |=p(ti, ...,tn)}- Then, for each 17-clause 
D and each 17-goal G: 

(i) If w, if IF P then IF D 

(ii) If IF G then w,if IF G 

The proof of above facts (i) and (ii) is made by simultaneous induction on D and G. 

(i) and (ii) for an atom A: w, if IF A iff A € Iw iff Iw IF A. (i) for Di A P 2 , 'ixD and 

(ii) for Gi A G 2 , 3xG, can be easily proved by applying the induction hypothesis. To 
prove (i) for G ^ A, let us suppose that w, if IF G ^ A, then w, if IF A or w, if 1/ G. 
By the induction hypothesis, IF A or Ij^ G holds. Therefore lyj IF G ^ A. To 
prove (ii) for D D G, suppose that w, K D D G, then there exists v £ W (K) such 
that w < V, v,K \\- D and v, if Ij^ G. By induction, ly IF D and ly Ij^ G hold. Then 
lyj \y- D £) G, since w <v implies C ly. 

Now, to prove (a), let us suppose that K \= D, then for all minimal w £ W{K): 
w,K IF D. Hence, by (i), for all minimal w £ W{K): ly, IF D. Then, by Proposition 
13(b), Ik if D holds. Therefore FU(Ik) |= D- The proof for (b) is symmetric, suppose 
that FU(Ik) 1= G, this means that Ik IF G. Then, by Proposition 13(a), ly, IF G holds 
for all minimal w € W(K). Therefore by (ii), w,if IF G for all minimal w € W(K). 
Hence if |= G. 

The unique morphism Hk.FU(Ik) M K is given by the collection of unique first-order 
I7-homomorphisms {Hy, : Ik — > Ay, \ w minimal in H^(if)}. ■ 
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Theorem 18. Mp is initial in the category Mod fP), 

Proof. Given K € Mod (P), the unique morphism from Mp into K is H — Hk° G 
obtained by composing the two morphisms Q: Mp ^ FU(Ik) and Hr : FU(Ik) ^ K 
of the previous lemma. ■ 

Corollary 19. A E-program P is satisfiable iff it is F-satisfiable. ■ 

Now, we will show that Mp is typical in Mqd(P) (and also in FMqd(P)) w.r.t. goal 
satisfaction. 

Proposition 20. For each S-program P and each E-goal G: P G iff Fil(I) t G 
for all Filil) € FMod (P). 

Proof. The only-if part is trivial. For the if part let K € Mod (P). that means K P. 
Then by Lemma 17 FU{Ir) |= P. Then FU{Ir) |= G and, again by Lemma 17, K G. 



Theorem 21. For each E-program P and each E-goal G: P G iff Mp |= G. 

Proof. The only-if part is trivial. Conversely, Mp |= G is equivalent to n{I C B{E) \ I Ih 
P} Ih G. Therefore / Ih G for all / C P(I7) such that / Ih P, hence Fil{I) |= G for all 
Fil{I) e FMod (P). Then by Proposition 20, P |= G. ■ 

Ifrom this result and the fact of that fFO^ is a complete logic, the goal completeness 
property is obtained: 

Theorem 22. For each E -program P and each E-goal G, P \~ G iff Mp G. ■ 

Remark 23. It is worthwhile noting that: Fil(I) |= G (or J Ih G) iff G is logical 
consequence of I. This can be proved by Proposition 20, by seeing J as a (posibly 
infinite) program of ground atoms, and by persistency of G. ■ 



4.2 Operational Semantics 

In this subsection we first define, for each 17-program P, an immediate consequence 
operator Tp (on FMqd(I7)). The monotonicity and continuity of Tp in the lattice 
(FMqd(I7), IT) allow us to use the fixpoint semantics as a bridge between the mathe- 
matical and the operational semantics. First we prove the equivalence between math- 
ematical and fixpoint semantics and then between fixpoint and operational semantics 
(given by hj). Specifically, given a 17-program P, we will use the fixpoint character- 
ization of the least model Mp of P in terms of Tp, to prove that for every 17-goal 
G, Mp 1= G if and only if P hj G. We will also show that the proof-subcalculus 
hj is sound and complete with respect to the fFO^ derivability relation, restricted to 
F[ ornp -programs and -goals. 

Definition 24. The immediate consequence operator Tp : FMod (L7) — ^ FMod (L7) is 
given by Tp(Fil(I)) = Fil({A \ there exists G M A £ [P] such that Fil(I) \= G}). 
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The operator Tp has been defined in terms of the satisfaction relation of . That is, 
given a filter (generated by a set of ground atoms), it generates the head of the clauses 
whose bodies are satisfied by this filter. We want to remark that Tp is indeed a TO^ 
logical consequence operator because we can replace (see Remark 23) the satisfaction of 
G in the model Fil{I) (or equivalently the forcing relation of G in the minimal world I) 
by the logical consequence of G from I. Unlikely for Horn clauses, logical consequence 
can not be replaced by set membership since goals are not just conjunction of atoms. 
It is well-known that the least fixpoint and the least pre-fixpoint of a continuous op- 
erator in a complete lattice is T"(±) where J_ is the bottom in the lattice. In the 
Appendix B we prove that the above-defined operator Tp is monotone and continuous 
in the complete lattice (FMqd(I7), C) and also that the models of P are the pre-fixpoints 
of Tp . Therefore, the least fixpoint of Tp is Tp{V{Bs)) which will be simply denoted 
Tp . Then the correspondence between mathematical and fixpoint semantics is a direct 
consequence of these results. 

Theorem 25. For all S -program P, Tp — Mp, ■ 

Now we will prove the equivalence between mathematical, fixpoint and operational 
semantics. We need the following lemma to complete such equivalences. This result 
was proved in [8] and our proof is an adaptation (for our operator Tp) of the proof 
given there. For that reason we will give a sketch of this proof detailing only the main 
differences. 

Lemma 26. Given a S -program P and a S-goal G, if Tp |= G then P \~s G. 

Sketch of the proof. Let denote the minimal world in Tp{P{Bs))., for each n > 0. 
Since Tp — U„<uiTp{V{Bs)); the minimal world in Tp is U„<,wln. Then by continuity 
of Tp it suffices to prove that lb G F hs G holds for each n > 0. The proof 
is made by induction on the highest number m of (D)-nesting levels in P and G. If 
m = 0 (there are no occurrences of D either in F or in G ) , then the proof can be done 
by double induction on n and G. The induction hypothesis holds for at most m — 1 
(D)-nesting levels in F and G. For the case m > 0, let us develop in detail only the 
subcase n > 0 and G — Di D Gi- Let D[ be the program U Di (seen the atoms 
in In as clauses with empty bodies) and let Jpj be the minimal world in T^r . Then 
Ih Di and In U Ip,/. Therefore Ip,/ Ih Gi- By induction on D[ and Gi (note that 
the highest number of (D)-nesting levels in D[ and Gi is less than m). In U Di \~s Gi 
holds. Finally, some hj-properties easy to prove (see [8] for details) are used to obtain 
the following implications: In U Di hj Gi In',Di b® Gi => In bj (Di D Gi) => 
{A I Fb, A} b, (Fi D Gi) ^ Fb, (Fi D Gi). ■ 

The following Theorem summarizes all the obtained results. In particular, the equiva- 
lence between mathematical and operational semantics is given by (c) tA (e). 

Theorem 27. For each S-prograrn P and each S-goal G, the following sentences are 
equivalent: 

(b) FbG 

(c) Mp ^ G 

(d) TJf ^ G 
14 F b, G 
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Proof, (a) (6) by the soundness and completeness of 

(b) tA (c) by the goal completeness property (Th. 22) 

(c) tA (d) by the equivalence between mathematical and fixpoint semantics (Th. 25) 

(d) =J> (e) by the Lemma 26 

(e) (6) by the soundness of hj w.r.t. h (Th. 30 in Appendix A) ■ 

Corollary 28. Th,e proof- subcalculus \~s is complete with respect to the -calculus 
when restricted to the programming language Hornp , 

We have used an abstract formulation of the operational semantics, given by the proof- 
subcalculus l-j. The effectiveness of such subcalculus means the capability for imple- 
menting it. This task is out of the scope of this paper, however we would like to mention 
here some works giving the main ideas towards such implementation. In [8] a less ab- 
stract operational semantics is given by using notions of substitution, unification and 
variable renaming for the notation [P], Whereas this semantics is equivalent to the 
given one, it provides an abstract interpreter for the language Pdornp . In [1] are also 
shown, by means of examples, some of the most relevant points taken into account to 
make a concrete implementation. 



5 Conclusions and Related Work 

We have presented a new characterization for the language Plarnp of Horn clauses 
extended with static embedded implication (introduced in [8]). Our characterization 
is based on the methodology proposed in [14, 15] for define logic programming lan- 
guages. Hence, we have enriched the underlying logic pFO) of the original language 
(Horn clauses) with intuitionistic implication, in a very natural way, obtaining the 
complete logic FO^ . Then we have given a iAO^-axiomatization of Plorrp showing 
that it satisfies all the desirable mathematical and computational properties. The fact 
of fixing the underlying logic FO^ allows us to deal with P[ ornp -piogiams as special 
^-theories. Therefore, metalogical properties of programs and goals can be studied 
in a clean and sound way relative to fixed notions (as model, satisfaction, morphism, 
derivability, etc.) in the underlying framework. Following this methodology, we have 
obtained a subclass ( FMod (I7)) of logical structures powerful enough for dealing with 
iJorn^-programs, like the subclass of Herbrand interpretations is for Horn clauses in 
the first-order case. Indeed, we show that a program (as a theory) has a (general) model 
iff it has a model in the subclass FMqd(T’). We believe that this is an important result 
about the model-theoretic semantics of Plarnp . Actually, the equivalence between the 
two model-theoretic semantics presented in [8] is a direct consequence of the definition 
of FMqd(I7). Moreover, FMqd(I7) is crucial for both: the initial and the fixpoint seman- 
tics. On one hand, for any program P, FMod (P) has a least element Mp which can be 
obtained by intersection of all models of F and also as the w-iteration of a continuous 
immediate consequence operator Tp defined on FMod lT*). Our fixpoint semantics is 
essentially equivalent to the fixpoint semantics of [8], although it is obtained in a very 
different way. As we pointed out in Subsection 4.2, the operator Tp is indeed based 
on the logical consequence of the underlying logic (or equivalently on its satisfaction 
relation). However, the immediate consequence operator of [8] is based on the notion 
of environment and it requires an ad-hoc satisfaction relation between Herbrand in- 
terpretations and goals. Moreover, we prove that the operational semantics of Plarnp 
is equivalent to the underlying logical derivability relation. In fact, this derivability 
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relation is induced by a calculus (Figure 1) designed as an extension of the operational 
semantics of Hornp. On the other hand, we have showed that iJorn^ -programs are 
^-theories with initial semantics: Mp (or equivalently Tp) is the initial object in 
the class Mqd(P) of all (general) models of the program P. Hence, our characterization 
of Hornp , firstly, places some well-known results into the logical framework given by 
and, secondly, it extends these results to a strong axiomatization providing a 
well-established model-theoretic semantics and an initial semantics. 

We believe that further extensions of this logic programming language, for example with 
some kind of negation, could be better developed using the logical foundation provided 
by this strong PC9^-axiomatization. With respect to this matter, there are several 
papers dealing with dynamic intuitionistic implication and some kind of negation, e.g. 
[3,5,9,10,12,13]. We plan to investigate also a possible PC9^-axiomatization of the 
dynamic scope language of [16] in order to place both languages (from [8] and [16]) 
into the common underlying logic TO^ . and intuitionistic logic are essentially 

equivalent to deal with the latter language. We mean, although these two logics differ 
in the universal quantifier interpretation, both coincide in clause interpretation over 
structures with constant universe, and it is well-known (cf [2, 7]) that these structures 
are powerful enough. In [16] it is proved that the operational semantics of its language 
corresponds to intuitionistic derivability. In [2] it is shown that the canonical model (of 
a program), obtained in [16] by a fixpoint construction, is indeed an intuitionistic model 
of the program. They also give an intuitionistic (Kripke’s based) model-theory for this 
language. Apart from the difference in the considered programming language, there 
are three most remarkable differences with our Kripke’s based approach: their logical 
structures are generated by terms, our notions of satisfaction and logical consequence 
are different, and the worlds of their canonical model are indexed by programs. 

A different approach to give logical foundations to this kind of logic programming 
languages (or in general to Horn clause extensions) is the transformational one which 
consists in translating programs to the language of some well-known logic. In [7] the 
language defined in [8] is translated to Sd-modal logic. They also translate the language 
defined in [16] in order to set both languages into a common logical framework. 

The transformational approach is also taken in [19, 20] where logic programs with em- 
bedded implications are translated to Horn clause programs. In [20] the definition of a 
predicate in a new module overrides its definition in previous modules, therefore nested 
definitions are independent of definitions in outer modules. The semantics of such lan- 
guages can be defined by a direct mapping from programs in the extended language 
to Horn clause programs. Then, Horn clause theory can be used to give logical and 
computational foundation to the extended language. However, as it is pointed in [2, 
20], when predicate extension is allowed, the translation of each predicate definition 
(inside a module) raises different predicate definitions, each one depending on the col- 
lection of modules that have to be used. In dynamic scoped languages this collection 
can only be determined in run-time, forcing to add new arguments to the translated 
predicates to represent the modules currently in use. This makes the transformational 
approach inadequate for both semantics and implementation issues. For static scoped 
languages, such as the language studied in this paper, this approach could be still use- 
ful for implementation issues, since there is a lexical way to determine such collection 
of modules (for each goal). However, the translation would not be so direct because of 
the multiple transformation of each original predicate. Therefore, in our opinion, for 
semantical foundation it is more adequate the model-theoretic approach started in [8], 
whose results we have enriched by setting a well-stablished logical framework. 
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A Appendix: Soundness of the proof-subcalculus 



We prove here that the proof-subcalculus hj is sound with respect to the iAC7^-calculus 
when restricted to the programming language Hornp . In the following, the rules in the 
^-calculus and the rules in hj will be respectively called the lagicxil and operational 
rules. 

Lemma 29. Let A be a sequenee of S -programs Po ; Pn (n > 0^ and G be a S-goal. 
If Ah, G then Ah G. 

Proof. Soundness of h, w.r.t. h would be obvious if each operational rule was a logical 
rule, but there is a slight difference: the use of (VP) and (AP) logical rules is com- 
pensated by the use of notation [Li] in operational rules (1) and (2). So that, each of 
the operational rules (1) through (5) is derivable in the PC7^-calculus in the following 
way: Rule (1) is derivable using a number of steps of (VP) and (AP) and one step of 
(Init). Rule (2) can be seen as a particular case of P) when x — ip- For this reason 
Rule (2) does not need a second premise which holds by (Init). Therefore, Rule (2) is 
a combination of (VP), (AP), (^ P) and (Init). Rule (3) is (PA), Rule (4) is (P3) and 
Rule (5) is (P D). 

Now, a proof of the sequent Li l> G can be made by substituting the corresponding 
step(s) in the PC7^-calculus for each step in the proof of Li hj G. ■ 



As a particular case of this lemma, for Li being a single program P, the following result 
is obtained: 

Theorem 30. Given a S -program P and S-goal G, if P h, G then PEG, ■ 



B Appendix: Fixpoint Semantics 



In this part, we prove the results that are sufficient to establish that Tp is the least 
fixpoint of the operator Tp defined in Subsection 4.2 and that Tp is the least model of 

P. 

Proposition 31. Tp is monotone. 

Proof. Suppose that Fil(Ii) IZ Fil(l 2 )., that is Ii C p. Then (by Proposition 13(a)) 
{A I G H- A e [P], Ii Ih G} C {A I G H- A e [P], h IE G} holds. Therefore 
Tp(Fil(h)) QTp(Fil(h)). m 



In order to prove the continuity of Tp, we first establish the following key lemma: 

Lemma 32. For every ehain h <Z T C ...C // C..., of Herbrand S -interpretations, 
every S-elause D and every S-goal G, 

(a) Ujlj IE G there exists jo sueh that J/g IE G 

(b) Ujlj Ij^ D there exists jo sueh that Ijf, Ij^ D 
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Proof. We proceed by simultaneous induction. For atoms (a) and (b) are trivial since 
I \\- A iff A £ I. (a.) ioT G — 3xGi and (b) ioi D — Di A D-z, D — VxDi can be easily 
proved by the induction hypothesis. 

To prove (a) for G — Gi A Gz suppose that Ujlj Ih Gi A Gz- Then for some indices 
jijjz- Iji lb Gi and I /2 H" Gz- Hence Ij Ih Gi A Gz holds for j — inax{ji,jz)- 
Now, consider (b) for D — Gi ^ At. If Ujlj Ij^ D then Ujlj Ih Gi and At ^ Ujlj. By 
induction, there exists jo such that Ih Gi and At ^ Therefore \f D. 

In order to prove (a) for G — Di £> Gi, we proceed by contradiction. Let us suppose 
that for all index j: Ij \f- Di D Gi- Then, for each j, there exists such that // C Jj, 
Ij Ih Di and Ij^ Gi. Considering, for each j, the non-empty set of interpretations 
Gj — {/ I Ij C J, I Ih Di, I 1/ Gi} and taking, for each j, the interpretation /'■ = 
n{J I I € Gj}, the following facts are verified: 

(i) Ij C , for all j 

(ii) I'j Ih Di and I- \y- Gi, for all j 

(iii) form the chain C 4 C ...C C... 

By applying the induction hypothesis on Di, Gi and the chain {Jj}y, we have U/Jj Ih Di 
and UjI'j Ij^ Gi. Since Ujlj C Ujlj, then Ujlj Ij^ Di D Gi, in contradiction with the 
hypothesis. ■ 



Theorem 33. Let Fil{h) C Fil{Iz) C ...£ Fil{Ij) C... he a ehain of elements in 
FMod (I7). Then Tp{Uj FU{Ij)) =UjTp{FU{Ij)). 

Proof. UjTp{Fil{Ij)) IZ Tp(UjFil{Ij)) holds by monotonicity. The reverse inclusion 
is equivalent to prove that {A \ G ^ A £ [P], Ujlj Ih G} C U/{/l | G ^ A £ [P], 
Ij Ih G}. Let A £ {A \ G ^ A £ [P], Ujlj Ih G}. Then, for some G: G ^ A £ [P] 
and Ujlj Ih G. Since Ii C I 2 C ...C Ij £..., there exists an index jo such that Ij^ Ih G. 
Then A e {A | G ^ A e [P], Ij^ Ih G} C U/{A | G ^ A e [P], Ij Ih G}. ■ 



The following lemma states that the models of P are the pre-fixpoints of Tp. 

Lemma 34. Let P be a S-prograrn and Fil{I) £ FMqd(I7). Then Fil{I) £ FMqd(P) 
iffTp{Fil{I))QFil{I). 

Proof. Let Fil(I) £ FMod (P) and let us show that {A | G H- A e [P], J Ih G} C I. If 
A e {A I G ^ A € [P], I Ih G}, then there exists some G such that G ^ A € [P] and 
I IF G. Therefore A £ I, since I Ih [P]. Conversely, let {A | G — ^ A £ [P], I IF G} C I. 
We have to show that Fil{I) |= G ^ A, for each G ^ A € [P]. Suppose Fil{I) |= G. 
Then A £ {A I G H- A £ [P], J IF G} C J. Hence Fil{I) ^ A. ■ 
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Abstract. We propose an unfolding semantics for graph transformation 
systems in the double-pushout (DPO) approach. Mimicking Winskel’s 
construction for Petri nets, a graph grammar is unfolded into an acyclic 
branching structure, that is itself a (nondeterministic occurrence) graph 
grammar describing all the possible computations of the original gram- 
mar. The unfolding can be abstracted naturally to a prime algebraic do- 
main and then to an event structure semantics. We show that such event 
structure coincides both with the one defined by Corradini et al. [3] via a 
comma category construction on the category of concatenable derivation 
traces, and with the one proposed by Schied [13], based on a determin- 
istic variant of the DPO approach. This results, besides confirming the 
appropriateness of our unfolding construction, unify the various event 
structure semantics for the DPO approach to graph transformation. 



1 Introduction 

Since many (natural or artificial) distributed structures can be represented (at 
a suitable level of abstraction) by graphs, and graph productions act on those 
graphs with local transformations, it is quite obvious that graph transformation 
systems are potentially interesting for the study of the concurrent transformation 
of structures. In particular, Petri nets [11], the first formal tool proposed for the 
specification of the behaviour of concurrent systems, can be regarded as graph 
transformation systems that act on a restricted kind of graphs, namely discrete, 
labelled graphs (to be interpreted as sets of tokens labelled by place names). 

In recent years, various concurrent semantics for graph rewriting systems 
have been proposed in the literature, some of which are inspired by the mentioned 
correspondence with Petri nets (see [2] for a tutorial introduction to the topic and 
for relevant references). A classical result in the theory of concurrency for Petri 
nets, due to Winskel [15], shows that the event structure semantics of safe nets 
can be given via a chain of adjunctions starting from the category Safe of safe 
nets, through category Occ of occurrence nets (this result has been generalized 
to arbitrary P/T nets in [9]). In particular, the event structure associated with 
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a net is obtained by first constructing a “nondeterministic unfolding” of the net, 
and then by extracting from it the events (which correspond to the transitions) 
and the causal and conflict relations among them. 

In the present paper we propose a similar unfolding construction for DPO 
graph grammars, which can be considered as a first contribution to a functo- 
rial semantics in Winskel’s style. After recalling in Section 2 the basics of typed 
graph transformation systems and their correspondence with Petri nets, we in- 
troduce, in Section 3, the notion of nondeterministic occurrence grammar, a 
generalization of the deterministic occurrence grammars of [4], representing in 
a unique “branching” structure several possible “acyclic” computations. Inter- 
estingly, unlike the case of Petri nets, the relationships among productions of 
an occurrence graph grammar cannot be captured completely by two binary 
relations representing causality and symmetric conflict. Firstly, due to the pos- 
sibility of preserving some items in a rewriting step an asymmetric notion of 
conflict has to be considered. The way we face the problem is borrowed from [1] , 
where we addressed an analogous situation arising in the treatment of contex- 
tual nets. Secondly, further dependencies among productions are induced by the 
application conditions, which constrain the applicability of the rewrite rules in 
order to preserve the consistency of the graphical structure of the state. 

Next in Section 4 we present an unfolding construction that, when applied 
to a given grammar Q, yields a nondeterministic occurrence grammar Ug, which 
describes its behaviour. The idea consists of starting from the initial graph of 
the grammar, applying in all possible ways its productions, and recording in the 
unfolding each occurrence of production and each new graph item generated by 
the rewriting process. Our unfolding construction is conceptually similar to the 
unfolding semantics proposed for graph rewriting in the single-pushout approach 
by Ribeiro in [12]. However, here the situation is more involved and the two 
approaches are not directly comparable, due to the absence of the application 
conditions (dangling and identification) in the single-pushout approach. 

In Section 5 we show how a prime algebraic domain (and therefore a prime 
event structure) can be extracted naturally from a nondeterministic occurrence 
grammar. Then the event structure semantics ES{Q) of a grammar Q is defined as 
the event structure associated to its unfolding Ug. In Section 6 such semantics is 
shown to coincide with two other event structure semantics for graph rewriting 
in the literature: the one by Corradini et al. [3], built on top of the abstract, 
truly concurrent model of computation of a grammar (a category having abstract 
graphs as objects and concatenable derivation traces as arrows), and the one by 
Schied [13], based on a deterministic variation of the DPO approach. Finally, in 
Section 7 we conclude and present some possible directions of future work. 

2 Typed Graph Grammars 

This section briefly summarizes the basic definitions about typed graph gram- 
mars [4], a variation of classical DPO graph grammars [6, 5] where the rewriting 
takes place on the so-called typed graphs, namely graphs labelled over a structure 
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(the graph of types) that is itself a graph. Besides being strictly more general 
than usual labelled graphs, typed graphs will also allow us to have a clearer 
correspondence between graph grammars and Petri nets. 

Formally, a (directed, unlabelled) graph is a tuple G — {N,E,s,t}, where N 
is a set of nodes, E is a set of ares, and s,t : E ^ N are the source and target 
functions. A graph morphism f : G ^ G' is a pair of functions / = (/]\r : N ^ 
N', fs'.E^ E') preserving sources and targets, i.e., such that /jv o s = s' o /£■ 
and fM^t — t'o fs- Given a graph of types TG, a typed graph is a pair {G, ta), 
where C? is a graph and to ■ G ^ TG is a morphism. A morphism between typed 
graphs / : (Gi,tai) ^ {G 2 ,tGf} is a graph morphisms f : Gi ^ G 2 consistent 
with the typing, i.e., such that toi — tcn^ ° /• The category of TG-typed graphs 
and typed graph morphisms is denoted by TG-Graph. 

Fixed a graph TG of types, a (TG-typed graph) production {L G K ^ R) 
is a pair of injective typed graph morphisms I : K ^ L and r ■. K ^ R. It is 
called consuming if morphism I : K ^ L is not surjective. The typed graphs 
L, K, and R are called the left-hand side, the interface, and the right-hand 
side of the production, respectively. A (TG-typed) graph grammar U is a tuple 
(TG,Gin, P,tt}, where Gj„ is the initial (typed) graph, F is a set of production 
names, and tt a function which associates a graph production to each production 
name in P. We denote by Elem{Q) the set NtgGEtgGP. Moreover, sometimes 

we shall write q : (L ^ K R) for w(q) = (L ^ K R). 

Since in this paper we work only with typed notions, we will usually omit the 
qualification “typed”, and we will not indicate explicitly the typing morphisms. 
Moreover, we will consider only consuming grammars, namely grammars where 
all productions are consuming: this corresponds, in the theory of Petri nets, to 
the common requirement that transitions must have non-empty preconditions. 

Given a typed graph G, a production q : (L K df R), and a match (i.e., 
a graph morphism) g : L ^ G, a direed derivation 5 from G to H using q (based 
on g) exists, written S : G Gq H, if and only if the diagram 

9 k h 

G-^—D—^H 

b a 

can be constructed, where both squares have to be pushouts in TG-Graph. 

Roughly speaking, the rewriting step removes from the graph G the items of 
the left-hand side which are not in the image of the interface, namely L - 1{K), 
producing in this way the graph D. Then the items in the right-hand side which 
are not in the image of the interface, namely R-r(K), are added to D, obtaining 
the final graph H. Notice that the interface graph K (common part of L and F) 
specifies both what is preserved and how the added subgraph has to be connected 
to the remaining part. 

It is worth recalling here that given an injective morphism I : K ^ L and 
a match g : L ^ G as in the above diagram, their pushout complement (i.e., a 
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graph D with morphisms k and b such that the left square is a pushout) only 
exists if the gluing conditions are satisfied. These consist of two parts: 

^ the identification condition, requiring that if two distinct nodes or arcs of L 
are mapped by g to the same image, then both must be in the image of 1; 

— the dangling condition, stating that no arc in G — g{L) should be incident to 
a node in g{L — 1{K)) (because otherwise the application of the production 
would leave such an arc “dangling” ) . 

Notice that the identification condition does not forbid the match to be non- 
injective on preserved items. Intuitively this means that preserved (read-only) 
resources can be used with multiplicity greater than one. 

A derivation over a grammar is a sequence of direct derivations (over Q) 
p — {Gi^i The derivation is written as p : Go g„^i} 

Gn or simply as p : Gq =►* Gn- The graphs Go and are called the starting 
and the ending graph of p, and are denoted by a{p) and r{p), respectively. 

Relation with Petri nets. To conclude this section it is worth explaining 
the relation between Petri nets and DPO graph grammars. The fact that graph 
transformation systems can model the behaviour of Petri nets has been first 
formalized by Kreowski in [8]. The proposed encoding of nets into grammars 
represents the topological structure of a marked net as a graph, in such a way 
that the firing of transitions is modelled by direct derivations. 

Here we use a slightly simpler modelling, discussed, among others, in [2]. 
The basic observation is that a P/T Petri net is essentially a rewriting system 
on multisets, and that, given a set A, a multiset of A can be represented as a 
discrete graph typed over A. In this view a P/T Petri net can be seen as a graph 
grammar acting on discrete graphs typed over the set of places, the productions 
being (some encoding of) the net transitions: a marking is represented by a set 
of nodes (tokens) labelled by the place where they are, and, for example, the 
unique transition t of the net in Fig. l.(a) is represented by the graph production 
in the top row of Fig. l.(b). Notice that the interface is empty since nothing is 
explicitly preserved by a net transition. 




Fig. 1. Firing of a transition and corresponding DPO direct derivation. 



It is easy to check that this representation satisfies the properties one would 
expect: a production can be applied to a given marking if and only if the corre- 
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spending transition is enabled and, in this case, the double pushout construction 
produces the same marking as the firing of the transition. For instance, the firing 
of transition t, leading from the marking 3.4 + 2B to the marking A + B + C + D 
in Fig. l.(a), becomes the double pushout diagram of Fig. l.(b). 

The considered encoding of nets into grammars enlightens the dimensions in 
which graph grammars properly extend nets. First of all grammars allow for a 
more structured state, that is a general graph rather than a multiset (discrete 
graph). Perhaps more interestingly, graph grammars allow for productions where 
the interface graph may not be empty, thus specifying a “context” consisting of 
items that have to be present for the productions to be applied, but are not 
affected by the application. In this respect, graph grammars are closer to some 
generalizations of nets in the literature, called nets with read (test) arcs or 
contextual nets (see e.g. [7, 10, 14]), which generalize classical nets by adding the 
possibility of checking for the presence of tokens which are not consumed. 

3 Nondeterministic occurrence grammars 

The notion of derivation introduced in the previous section formalizes how a 
single computation of a grammar can evolve. Nondeterministic occurrence gram- 
mars are intended to represent the computations of graph grammars in a more 
static way, by recording the events (production applications) which can appear 
in all possible derivations and the dependency relations between them. 

Analogously to what happens for nets, occurrence grammars are “safe” gram- 
mars, where the dependency relations between productions satisfy suitable acyclic- 
ity and well-foundedness requirements. However, while for nets it suffices to take 
into account only the causal dependency and the conflict relations, the greater 
complexity of grammars makes the situation much more involved. On the one 
hand, the fact that a production application not only consumes and produces, 
but also preserves a part of the state leads to a form of asymmetric conflict 
(or weak dependency) between productions. On the other hand, because of the 
dangling condition, also the graphical structure of the state imposes some prece- 
dences between productions. 

A first step towards a definition of occurrence grammar is a suitable notion 
of safeness for grammars [4], generalizing the usual one for P/T nets, which 
requires that each place contains at most one token in any reachable marking. 

Definition 1 ((strongly) safe grammar). A grammar Q — {TG,Gi„,, P,tt) 
is (strongly) safe if, for all H such that Gin =►* H, H has an injective typing 
morphism. 

Strongly safe graph grammars (hereinafter called just safe grammars) admit 
a natural net-like pictorial representation, where items of the type graph and 
productions play, respectively, the role of places and transitions of Petri nets. 
The basic observation is that typed graphs having an injective typing morphism 
can be safely identified with the corresponding subgraphs of the type graph 
(just thinking of injective morphisms as inclusions). Therefore, in particular. 
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each graph {G, tg) reachable in a safe grammar can be identified with the sub- 
graph tg{G) of the type graph TG, and thus it can be represented by suitably 
decorating the nodes and arcs of TG. Concretely, a node is drawn as a filled cir- 
cle if it belongs to tg{G) and as an empty circle otherwise, while an arc is drawn 
as a continuous line if it is in tg{G) and as a dotted line otherwise (see Fig. 2). 
This is analogous to the usual technique of representing the marking of a safe 
net by putting one token in each place which belongs to the marking. 

With the above identification, in each computation of a safe grammar starting 
from the initial graph a production can only be applied to the subgraph of 
the type graph which is the image via the typing morphism of its left-hand 
side. Therefore according to its typing, we can safely think that a production 
produces, preserves or consumes items of the type graph. This is expressed by 
drawing productions as arrow-shaped boxes, connected to the consumed and 
produced resources by incoming and outcoming arrows, respectively, and to the 
preserved resources by undirected lines. Fig. 2 presents two examples of safe 
grammars, with their pictorial representation. Notice that the typing morphisms 
for the initial graph and the productions are represented by suitably labelling 
the involved graphs with items of the type graph. 

Using a net-like language, we speak of pre-set *g, context q and post-set q* of 
a production q, defined in the obvious way. Similarly for a node or arc ar in TG 
we write *x, x and x* to denote the sets of productions which produce, preserve 
and consume x. For instance, for grammar Q2 in Fig- 2, the pre-set, context and 
post-set of production qi are % = {C}, q\ = {T} and gi* = {.4, L}, while for 
the node T, = 0, T = {51,^2,93} and B* = {^4}. 

Although the notion of causal relation is meaningful only for safe grammars, 
it is technically convenient to define it for general grammars. The same holds 
for the asymmetric conflict relation introduced below. 

Definition 2 (causal relation). The causal relation of a grammar Q is the 
binary relation < over Elem{Q) defined as the least transitive relation satisfying: 
for any node or arc x in the type graph TG, and for productions qi,q2 G P 

1. if X £ *gi then x < qi; 

2. if X £ qi* then qi < x; 

3. (f gi* n £2 0 then gi < g2,‘ 

As usual < is the reflexive closure of <. Moreover, for x £ Elem{Q) we denote 
by \_x\ the set of causes of x in P, namely {q £ P ■ q < x}. 

The first two clauses of the definition of relation < are obvious. The third one 
formalizes the fact that if an item is generated by gi and it is preserved by q-z, 
then g2, to be applied, requires that gi had already been applied. 

Notice that the fact that an item is preserved by q± and consumed by qz, 
i.e., gi_n % 0 (e.g., the node B in grammar Qi of Fig. 2), does not imply 

gi < qz- Actually, since gi must precede qz in any computation where both 
appear, in such computations gi acts as a cause of qz- However, differently from 
a true cause, gi is not necessary for qz to be applied. Therefore we can think of 
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Grammar Qi 




Fig. 2. Two safe grammars and their net-like representation. 



the relation between the two productions as a weak form of causal dependency. 
Equivalently, we can observe that the application of g -2 prevents qi to be applied, 
so that Qi can never follow g -2 in a derivation. But the converse is not true, since 
qi can be applied before qi- Thus this situation can also be interpreted naturally 
as an asymmetric conflict between the two productions (see [1]). 

Definition 3 (asymmetric conflict). The asymmetric conflict relation of a 
grammar Q is the binary relation over the set of productions, defined by: 

1. if qi n *g2 7^ 0 then qi qi; 

2. if *gi n *g2 7^ 0 and qi 7^ q-z then qi q-z; 

3. if qi < q‘2 then q\ q-z- 

Condition 1 is justified by the discussion above. Condition 2 essentially expresses 
the fact that a situation of “classical” symmetric conflict is coded, in this setting, 
as an asymmetric conflict in both directions. Finally, since < represents a global 
order of execution, while ^ determines an order of execution only locally to each 
computation, it is natural to impose ^ to be an extension of < (Condition 3). 

A nondeterministie occurrence grammar is an acyclic grammar which repre- 
sents, in a branching structure, several possible computations starting from its 
initial graph and using each production at most once. 
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Definition 4 ((nondeterministic) occnrrence grammar). A (nondetermin- 
istic) occurrence grammar is a graph grammar O = {TG,Gi„,, P,tt) such that 

1. its causal relation < is a partial order, and for any q E P, the set [qj is 
finite and asymmetric conflict is acyclic on [gj; 

2. the initial graph Gin coincides with the set Min{0) of minimal elements of 
{Elem{0),<) (with the graphical structure inherited from TG and typed by 
the inclusion); 

3. each arc or node x in TG is created by at most one production in P, namely 
I 'x |< 1. 

4- for each production q : {Lflifi E- {Kfix) ^ {Rflii}! the typing ti is injec- 
tive on the “consumed part” L - 1{K), and similarly tu is injective on the 
“produced part” R — r{K). 

Since the initial graph of an occurrence grammar O is determined by Min(0), 
we often do not mention it explicitly. 

One can show that, by the defining conditions, each occurrence grammar is safe. 

Intuitively, conditions (l)-(3) recast in the framework of graph grammars 
the analogous conditions of occurrence nets (actually of occurrence contextual 
nets [1]). In particular condition (1) requires causality to be acyclic and each 
production q to have a finite set of causes [gj . Acyclicity of asymmetric conflict 
on [gj corresponds to the requirement of irrefiexivity for the conflict relation in 
occurrence nets. In fact, notice that if a set of productions forms an asymmetric 
conflict cycle qo qi qn, qoi then such productions cannot appear 

in the same computation, otherwise the application of each production should 
precede the application of the production itself; this fact can be naturally in- 
terpreted as a form of n-ary conflict. Condition (2) forces the set of minimal 
items of the type graph to be a graph, coinciding with the initial graph of the 
grammar and Condition (3) requires the absence of backward conflicts. Condi- 
tion (4), instead, is closely related to safeness and requires that each production 
consumes and produces items with multiplicity one. Together with acyclicity of 
it disallows the presence of some productions which surely could never be 
applied, because they fail to satisfy the identification condition with respect to 
the typing morphism. 

On the contrary, the definition does not imply that every production of an 
occurrence grammar will ever satisfy the dangling condition. This fact deserves 
some comments since the dangling condition, which requires the absence of arcs 
pointing to nodes which are removed by the production, induces precedence re- 
lations on productions. For example, in the grammar Q 2 of Fig. 2 the application 
of production gi “disables” g 4 , since g 4 would remove the node B, leaving the 
arc L dangling. The production g 4 becomes enabled again only after g 2 or gs 
has been applied. The reason why we defined occurrence grammars in this way 
is that the dangling condition is not purely syntactical and cannot be checked 
“locally” by looking only at the causes of the considered production. Checking 
such negative (non monotonic) condition on a production, would require to find 
a possible computation allowing for the execution of productions which remove 
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the potentially dangling arcs, and to verify the consistency of such computation 
with the production at hand. It can be shown that such verification is, in general, 
exponential in the size of the occurrence grammar in the finite case. Even worse, 
for infinite occurrence grammars (which can be obtained as unfolding of finite 
grammars) , the problem is undecidable, as it can be shown by using the Turing 
completeness of DPO graph grammars. 

Disregarding the dangling condition has as a consequence the fact that, dif- 
ferently from what happens for occurrence nets, not every production in an 
occurrence grammar is guaranteed to be applicable at least in one derivation 
starting from the initial graph. The restrictions to the behaviour imposed by 
the dangling condition are considered when defining the configurations of an 
occurrence grammar, which represent exactly, in a sense formalized later, all the 
possible deterministic runs of the grammar. 

Definition 5 (confignration) . A configuration of an occurrence grammar O — 
{TG,P,'k) is a subset C CP such that 

1- if /^c denotes the restriction of the asymmetric conflict relation to C, then 
{/^cY ® partial order, and {q' £ C : q'iY'cYQ} is finite for all q C Cf 

2. C is left-closed w.r.t. <, i.e. for all q£C,q'£P,q'<q implies q' E C; 

3. for all e E TG and n E {s(e), t{e)}, ifn*DC 7^ 0 and *e CC then e*DC 7^ 0. 

If G satisfies conditions (1) and (2), then it is called a pre-configuration. 

The notion is reminiscent of that of configuration of asymmetric event structures 
and thus of occurrence contextual nets [1] . The first part of Condition 1 ensures 
that in G there are no ^-cycles, and thus excludes the possibility of having 
in (7 a subset of productions in conflict. The second part guarantees that each 
production has to be preceded only by finitely many other productions in the 
computation represented by the configuration. Condition 2 requires the presence 
of all the causes of each production, while Condition 3 formalizes the dangling 
condition. If a configuration contains a production q consuming a node n and a 
production q' producing an arc e (i.e. *e = {g'}) with source (or target) n, then 
a production q" removing such an arc must be present as well, otherwise, due to 
the dangling condition, q could not be executed. Notice that in this situation the 
production q” can coincide with q itself; otherwise it surely preserves the node 
n and thus q" q, i.e. q” correctly precedes q in the computation represented 
by the configuration. Similar considerations apply if the arc e is present in the 
initial graph, i.e., *e = 0. For example the set of configurations of the grammar Q2 
in Fig. 2 is ConfiQ^) = {0, {gi}, {gi,®}, {gi, gs}, {^i, g4>, {gi, 93,94}, fe}}- 
The set S — {91,94}, is instead only a pre-configuration, since for the node B 
we have B = t{L), q^ E B*, *L = jgi} C S, but the intersection of S with 
L* = {92,93} is empty. 

The fact that configurations represent all and only the deterministic runs of 
an occurrence grammar is formalized by the following result. 

^ As usual, for a binary relation r, with r* we denote its transitive and reflexive closure. 
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Proposition 1 (configurations and derivations). For any configuration C 
of an occurrence grammar O, there exists a subgraph Gc of the type graph TG 
such that Min{0) Gc with a derivation which applies exactly once every 
production in G, in any order consistent with (/^cT- Vieeversa for each deriva- 
tion Min{0) =►! G in O, the set of productions S it applies is a configuration. 

As an immediate consequence of the previous result, a production which does 
not satisfy the dangling condition in any graph reachable from the initial graph 
is not part of any configuration. For example, does not appear in the set of 
configurations of Qi, Conf{Qi) = 

In the theory of Petri nets the notion of occurrence grammar is strictly re- 
lated to that of process. A (non)deterministic net process is a (non)deterministic 
occurrence net with a morphism to the original net. Similarly, nondeterministic 
occurrence grammars can be used to define a suitable notion of nondeterminis- 
tic graph processes, generalizing the deterministic graph processes of [4]. Then, 
the unfolding of a grammar, introduced in the next section, could be seen as a 
“complete” nondeterministic process of the grammar. Unfortunately, these no- 
tions cannot be discussed here because of space limitations. 

4 Unfolding 

This section introduces the unfolding construction which, applied to a consuming 
grammar Q, produces a nondeterministic occurrence grammar Ug describing the 
behaviour of Q. The unfolding is equipped with a mapping <f>g to the original 
grammar Q which allows to see productions in Ug as instances of production 
applications in Q, and items of the type graph of Ug as instances of items of the 
type graph of Q. 

The idea consists of starting from the initial graph of the grammar, then 
applying in all possible ways its productions, and recording in the unfolding each 
occurrence of production and each new graph item generated in the rewriting 
process, both enriched with the corresponding causal history. According to the 
discussion in the previous section, during the unfolding process productions are 
applied without considering the dangling condition. Moreover we adopt a notion 
of concurrency which is “approximated” , again in the sense that it does not take 
care of the precedences between productions induced by the dangling condition. 

Definition 6 (qnasi-concnrrent graph). Let O = {TG,P,tt) be an occur- 
rence grammar. A subgraph G ofTG is called quasi-concurrent if 

1. UseGl-^J is a pre-configuration; 

2. -i(x < y) for all x,y £ G. 

The intuitive idea is that each quasi-concurrent graph is contained in a graph 
reachable in a “lax version” of the DPO rewriting, where the dangling condition 
is not tested. 

Another basic ingredient of the unfolding is the gluing operation. It can be 
interpreted as a “partial application” of a rule to a given match, in the sense that 
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it generates the new items as specified by the production (i.e., items of right- 
hand side not in the interface), but items that should have been deleted are 
not affected: intuitively, this is because such items may still be used by another 
production in the nondeterministic unfolding. In the following we assume that 
for each production name q its associated production is ^ ^ where 

the injections Iq and Vq are inclusions (and not generic injective morphisms). 

Definition 7 (glning) . Let q be a production, G a graph and m : Lq ^ G a 
graph morphism. We define, for any symbol *, the gluing of G and Rq along 
Kq, according to m and marked by denoted by glue^(q,m,G} as the graph 
{N, E,s,t) , where: 

N - NqU mn,(NRj E - EqU mn^iEnJ 

with m* defined by: m*(ar) = m{x) if x £ Kq and m*(x) = {x,*} otherwise. The 
source and target functions s and t, and the typing are inherited from G and Rq. 

The gluing operation keeps unchanged the identity of the items already in G, and 
records in each newly added item from Rq the given symbol *. We remark that 
the gluing, as just defined, is a concrete deterministic definition of the pushout 

of the arrows G ^ Lq Kq and Kq^ Rq. 

Now the unfolding of a grammar Q — {TG,Gin, P,7 t} can be as follows. 
For each n, we construct a partial unfolding 14(0)^'"'^ — ) , where 

= {TG^-G ,P^-G ig an occurrence grammar and the mapping = 
pin) ^ j gin)) (consists of two components: a function fp^-G ; p(«) ^ p map- 
ping the productions of the unfolding into productions of G, and a morphism 
fgiG . pQ{n) ^ pQ from the type graph of to TG. Intuitively, the occur- 
rence grammar generated at level n contains all possible computations of the 
grammar with “causal depth” at most n. 

- (n = 0) {TG^^Kfg^^^) = Gm, while and are empty. 

- (n ^ n-f 1) Given the partial unfolding is obtained by 

extending it with all the possible production applications to quasi-concurrent 
subgraphs of the type graph of More precisely, for each production 
q £ P and match m : Lq ^ {TG^-G ^ fgiG) satisfying the identification 
condition, with m(Lq) quasi-concurrent subgraph of TG^-G'. 

♦ Add to an occurrence of the production q, with name g' = {q,m}. 

The match m is needed to record the “history” of q'. Now let F^”) := 
pin) y extend fp^"''^ so that fp^"'^(q') — q. The production 

7 i-(«) (g) coincides with Tr(g’) except for the typing. 

♦ Glue the type graph TG^G, typed over TG by fg^-^K with the right- 
hand side Rq of q along Kq, according to the mapping m and marked by 
q'; in this way the new items generated by the production contain the 
name q' of the occurrence of the production and thus their history. The 
morphism fg^-"'^ is updated consequently. 

After all the applicable productions have been considered we obtain U . 
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The deterministic gluing construction ensures that, at each step, the order 
in which productions are applied does not influence the flnal result of the step. 
Moreover if a production is applied twice (also in different steps) at the same 
match, the generated items are always the same and thus they appear only once 
in the unfolding. 

Definition 8 (nnfolding) . The unfolding U{Q) = ifdg,4’g) of the grammar Q 
is defined as where union is applied eomponentwise. 

It is not difficult to verify that for each n, is a (finite) nondeterministic 
occurrence grammar, and C W(l7)f”+^), componentwise. Therefore Wg is 

an occurrence grammar. Moreover the unfolding process applied to an occurrence 
grammar yields a grammar which is isomorphic to the original one. 

Finally, we notice that, as already remarked, not all productions in the un- 
folding are executable in some computation and thus correspond to occurrences 
of production of the original grammar. This is due to the fact that only the 
identification condition is tested and an “approximated notion” of concurrent 
subgraph is used. We stress that this is needed to have a decidable unfolding, 
a fact which, besides being pleasant from a purely theoretical point of view, is 
essential if one wants to use the unfolding in practice to prove properties of the 
modelled system. 

5 Domain and event structure semantics 

In the seminal work of Winskel on (safe) Petri nets, the unfolding semantics of a 
net, given in terms of a nondeterministic occurrence net, is further abstracted to 
an event structure semantics, by forgetting the “real structure” of the unfolding 
and recording only the relationships induced by such structure on the transitions 
of the unfolding itself. In this section we show that a similar construction can 
be carried out for graph grammars. 

Recall that a prime event structure with binary eonfliet (PES), consists of 
a set of events endowed with two binary relations: a partial order relation <, 
modelling causality, and a symmetric and irreflexive relation ff, hereditary w.r.t. 
causality, modelling eonfliet. A configuration of a PES is a subset of events left- 
closed w.r.t. < and conflict free, representing a possible computation of the sys- 
tem modelled by the event structure. The set of configurations of a PES, ordered 
by subset inclusion, is a finitary prime algebraic domain, i.e. a coherent, prime 
algebraic, finitary partial order, briefly a domain, and the set of prime elements 
of a domain (with the induced partial order as causality and the inconsistency 
relation as conflict) is a PES. 

We already observed that the notion of configuration of an occurrence gram- 
mar allows us to recover exactly the different possible deterministic computations 
of the grammar. Following the ideas suggested for asymmetric event structures 
and contextual nets in [1] , an order can be defined on configurations which cap- 
tures the idea of computational extension. The main point is that, differently 
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from what happens for classical event structures and Petri nets, due to the pres- 
ence of the asymmetric conflict such an order is not simply set-inclusion: in fact, 
a configuration C cannot be extended with a production inhibited by some of 
the productions already present in C. 

Definition 9 (poset of confignrations) . Given an occurrence grammar O, 
we denote by Conf{0) the set of its configurations, ordered by the relation C 
defined as C G C' if C CC' and ^(q' q), for all q E C and q' EC" — C. 

The partial order of configurations of an occurrence grammar exhibits a very nice 
algebraic structure, i.e., it is a domain. The proof (that we skip here) follows the 
same outline as in [ 1 ], but more effort is needed to take care of the additional 
requirement in the definition of configuration, related to the dangling condition. 

Theorem 1 (from occurrence grammars to domains). Given an occur- 
rence grammar O, the partial order of configurations Gonf{0) is a domain. 

By the relation between domains and event structures sketched above, Gonf(0) 
determines indirectly an event structure ES{0), namely, the unique (up to iso- 
morphisms) PES having Gonf{0) as domain of configurations. Differently from 
what happens for Petri nets, there is not a one to one correspondence between 
events of ES(0) and productions in O. Instead, a different event is generated 
for any possible “history” of each production of O. This phenomenon of “dupli- 
cation of events” is related to the fact that the new precedence relations arising 
between productions in graph grammars are represented via causality and con- 
flict in classical PES’s. Basically, a situation of asymmetric conflict like q± q-z 
in grammar Qi of Fig. 2, is coded in the PES by the insertion of a single event 
Cl corresponding to qi, and two “copies” dz ad df of qz, the first one in conflict 
with ei and the second one caused by ei (see Fig. 3.(a)). For what concerns 
the dangling condition, consider the grammar Qz in Fig. 2. In this case three 
conflicting events are generated corresponding to ^ 4 : 64 representing the execu- 
tion of qi from the initial graph, which inhibits all other productions, and 64 , df 
representing the execution of q^ after qz and q^, respectively. 
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Fig. 3. Coding asymmetric conflict and dangling condition in prime event structures. 



As a final simple step, a domain and an event structure semantics for a graph 
grammar are readily defined via the unfolding construction. 
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Definition 10 (event strnctnre semantics). For any grammar Q, we de- 
note by Conf{Q) the domain of configurations of the unfolding of Q, namely 
ConfiUg), and by ES{Q) the corresponding event structure ES{Ug). 

6 Relation with other event structure semantics 

This section briefly reviews two other event structure semantics proposed in 
the literature for DPO graph transformation systems. The first one [3] is built 
on top of the “abstract truly concurrent model of computation” of a grammar. 
The other one [13] is based on a deterministic variation of the DPO approach. 
Nicely, these two alternative event structures turn out to coincide with the one 
obtained from the unfolding, which thus can be claimed to give “the” event 
structure semantics of DPO graph transformation. 

Event structure semantics from abstract derivations. The derivations of 
a grammar Q are easily equipped with a simple algebraic structure which turns 
them into a category, called the concrete model of computation for Q and denoted 
Der[g]. Objects in Der[tJ] are graphs, and each derivation p is seen as an arrow 
from a{p) to r(p). Given two derivations p and p' such that the ending graph 
of p and the starting graph of p' coincide, i.e., r(p) = crip')., their sequential 
composition p; p' is the derivation obtained by identifying r(p) with cr{p'). 

The concrete model contains a lot of redundant information and it is far 
from representing what one has in mind as truly concurrent behaviour of the 
system modeled by the grammar. A more reasonable model, called the abstract, 
truly concurrent model of computation of a grammar Q, and denoted by Tr[tJ] , is 
the category obtained by imposing a suitable equivalence on objects and arrows 
of the concrete model. In particular, the objects of Tr[iJ] are abstract graphs 
(i.e., isomorphism classes of graphs), while its arrows are concatenable deriva- 
tion traces, i.e., equivalence classes of derivations with respect to the concaten- 
able truly concurrent equivalence [3] . This equivalence is the least equivalence on 
derivations containing both the abstraction equivalence, a refinement of the ob- 
vious notion of derivation isomorphism compatible with sequential composition, 
and the shift equivalence, which equates two derivations if one can be obtained 
from the other by repeatedly shifting independent derivation steps. 

The category Tr[^] is used in [3] to define a domain and a prime event 
structure semantics for graph transformation systems. More precisely, for any 
consuming graph grammar Q = {TG,Gi,^, P,w}, one considers the comma cate- 
gory ([Gin] Tr[f^])j where objects are concatenable derivation traces of Tr[^] 
with source in [Gin], and given two such traces (?o and ^i, an arrow from dp to 
hi is a concatenable derivation trace 5 satisfying ho;h = hi. Such category can 
be shown to be a preorder PreDom[f7], i.e., there is at most one arrow between 
any pair of objects. Moreover the ideal completion of PreDom[^] is a domain, 
denoted by Dom[tJ] and proposed as truly concurrent semantics of the grammar. 

As announced such domain semantics can be proved to coincide with the 
one obtained from the unfolding U(Q). In fact, we know from [3] that the finite 
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elements of the domain Dom[i7] are one-to-one with derivation traces of G having 
the initial graph as source. Then the result is proved by showing that a bijection 
can be defined between finite elements of Conf(G) and such derivation traces. In 
one direction, given a finite configuration C G Conf{G), consider any derivation 
MiniUg) Gc in Ug which applies exactly once every production in (7, in 
any order consistent with the asymmetric conflict Such derivation, typed 
over the type graph of G via the mapping <f>g, gives a derivation d in G, which 
determines the derivation trace associated to C. Viceversa, given a derivation 
trace [d\ of G, the corresponding configuration of Ug is determined as the set 
of productions needed to “simulate” d in the unfolding of G- The fact that the 
ordering on configurations is not simply set-inclusion then plays a key role in 
the proof that such bijection is an isomorphism of partial orders. 

Theorem 2. For any (consuming) graph grammar G, the domains Conf{G) and 
Dom[l7] are isomorphic. 

Event structure semantics from deterministic derivations. Schied in [13] 
proposes a construction for defining an event structure semantics for distributed 
rewriting systems, an abstract unified model where several kind of rewriting 
systems, such as graph grammars and term rewriting systems, naturally fit. 
He shows that, given a distributed rewriting system TZ, a domain Tn can be 
obtained as the quotient, with respect to shift equivalence, of the collection of 
derivations starting from the initial state, ordered by the prefix relation. To 
prove the algebraic properties of 7 k he constructs, as an intermediate step, a 
trace language based on the shift equivalence, and applies general results to 
extract an event structure £n from the trace language. Finally he shows that 
7 k is isomorphic to the domain of configurations of £%. 

The main interest in Schied’s paper is for the application to graph grammars. 
Let us sketch how, according to Schied, the above construction instantiates to the 
case of grammars. Graph grammars are modeled as distributed rewriting systems 
by considering a deterministic variation of the DPO approach, where at each 
direct derivation the derived graph is uniquely determined by the host graph, 
the applied production and the match. The idea consists of working on concrete 
graphs, where each item records his causal history. Formally the definition of 
deterministic direct derivation (adapted to the typed case) is as follows. 

Definition 11 (deterministic derivation). Let q : Lq ^ Kq Rq be a pro- 
duction and let m : Lq ^ G be a match. Then a deterministic direct derivation 
G "^q^m H exists ifm satisfies the gluing conditions and 

H = gluei^q „,,^{q,m,G) - m{Lq -l(Kq)). 

Let G = {TG,Gi„,P,TT) be a typed graph grammar. A deterministic derivation 
in G is a sequence of deterministic direct derivations Gi 

. . . Gn, Starting from the initial graph and applying productions of G- 

The construction of the domain of a grammar is based on the partial order 
of deterministic derivations with the prefix relation, and on shift equivalence. 
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Definition 12 (Schied’s domain). The Schied’s domain for a consuming gram- 
mar Q, denoted by Tg, is defined as the quotient, w.r.t. shift equivalence, of the 
partial order of deterministic derivations of a grammar Q. 

It is not difficult to see that the (ideal completion of) Schied’s domain for a 
grammar coincides with the domain of configurations of its unfolding Conf{Q), 
and thus with the domain Dom[l7] of [3]. The bijection between Tg and the 
finite elements of Conf{Q) associates to the class of shift equivalent determin- 
istic derivations containing d : Gin Gi "-*q 2 ,m 2 ■■■ Gn the set 

{(gjjTOj) : i E n}, which can be shown to be a configuration in the unfolding of 
Q, independently of the particular derivation picked up in the class. 

Theorem 3. For any graph grammar Q, the ideal completion of Tg and the 
domain Conf{Q) are isomorphic. 

7 Conclusions and future work 

This paper introduces a notion of nondeterministic occurrence grammar for 
graph transformation systems in the algebraic DPO approach, by extending 
the work developed in [4] for the deterministic case. The phenomenon of asym- 
metric conflict between productions, caused by the possibility of performing 
“context sensitive” rewritings, cannot be ignored in this nondeterministic set- 
ting, and comes into play as an essential ingredient. A new kind of dependency 
between productions is also induced by the dangling condition, which imposes 
precedences among productions finalized at preserving the consistency of the 
graphical structure of the state. 

Following the classical idea proposed by Winskel [15] for Petri nets, an un- 
folding semantics for DPO graph rewriting systems has been defined as a nonde- 
terministic occurrence grammar, representing, in a single “branching” structure, 
all the possible computations of the grammar. The dangling condition, being a 
negative (non monotone) condition, can hardly be verified during the unfold- 
ing process. As a consequence the generated unfolding contains some garbage of 
which we get rid only when considering the set of configurations. 

Interestingly, the set of configurations Conf{Q) of (the unfolding of) a gram- 
mar Q, suitably ordered using the asymmetric conflict relation, turns out to be 
a (flnitary pairwise coherent) prime algebraic domain, one of the most widely 
used mathematical structures in the semantics of concurrency, equivalent to 
prime event structures (with binary conflict) . Such domain is shown to coincide 
both with the domain Dom[f7], built from the category of concatenable deriva- 
tion traces and proposed as semantics of a grammar in [3] , and with the domain 
defined by Schied [13] and based on a concrete formulation of the DPO rewriting. 

Finally, it is worth mentioning that the original work of Winskel shows that 
the unfolding construction extends to a coreflection from the category of safe 
nets to the category of domains, while our construction has been defined, up to 
now, only at “object level”. We are working to obtain a full correspondence with 
Winskel’s construction for nets, by extending the results presented in this paper 
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to a categorical “in the large” level. Some suggestions can surely come from [1], 
where Winskel’s construction has already been fully extended to contextual nets. 
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Abstract. We prove strong normalization of /?-reduction+?7-expansion for the Calculus of Construc- 
tions, thus providing the first strong normalization result for /?-reduction-|-j7-expansion in calculi of 
dependent types and answering in the affirmative a conjecture by Di Cosmo and Ghani. In addition, we 
prove strong normalization of /?-reduction-|-j7-expansion-|-algebraic reduction for the Algebraic Calculus 
of Constructions, which extends the Calculus of Constructions with first-order term-rewriting systems. 
The latter result, which requires the term-rewriting system to be non-duplicating, partially answers in 
the affirmative another conjecture by Di Cosmo and Ghani. 



1 Introduction 

Extensionality, as embodied in rj-canversion 

Aa;:.4. Mx = M if x ^ FV(M) 

is a basic notion in A-calculus and type theory. Traditionally, r?-conversion has been oriented from left 
to right, thus leading to rj-reduction. Recently, several authors have advocated a different computational 
interpretation, in which r 7 -conversion is oriented from right to left, thus leading to rj- expansion. The latter, 
which originates from proof-theoretical considerations [23] , has found an increasing number of applications in 
computer science. The current body of results on r 7 -expansion and its applications is too large to be presented 
here in any detail but we refer to [9] for a recent survey of the field, including a summary of the applications 
of /^-expansion, an historical account of the subject and pointers to the literature. 

The first part of this paper is concerned with normalization of /?-reduction-|-r 7 -expansion for the A-cube 
[4,5,14].^ While weak normalization of /?-reduction-|-r?-expansion is relatively easy to establish [6,17], even 
for systems of dependent types, strong normalization of /?-reduction-|-r?-expansion has remained unaddressed 
thus far. In fact, it was conjectured by Di Cosmo and Ghani [10, 17] that /?-reduction-|-r?-expansion is strongly 
normalizing for the legal terms of the Calculus of Constructions. In the first part of the paper, we prove their 
conjecture by means of a model construction inspired from [25] and based on saturated sets. 

The second part of this paper is concerned with normalization of /?-reduction-|-r?-expansion-|-algebraic 
reduction for the algebraic A-cube, see e.g. [3,8]. In contrast to the A-cube, neither weak normalization 
results nor strong normalization results are known for systems of dependent types. Again, it was conjectured 
by Di Cosmo and Ghani [10] that strong normalization is a modular property of the algebraic A-cube, 
i.e. that a system of the algebraic A-cube is strongly normalizing w.r.t. /?-reduction-|-r 7 -expansion-|-algebraic 
reduction if its underlying term-rewriting system is strongly normalizing. In the second part of this paper, 
we solve their conjecture partially, under the extra assumption that the underlying term-rewriting system is 
non-duplicating. The proof is obtained by using ideas from [7] and modifying the model construction of the 
first part of the paper. 

Related work 

Much work has been devoted to extensionality in type systems so we shall only focus on systems of dependent 
types. 

Throughout the paper, we shall be concerned with the extensional versions of the A-cube, in which the conversion 
rule uses =/3>j. These versions are presented in [14] but differ from Barendregt’s original presentation [4, 5], in which 
the conversion rule uses =,(3. In order to avoid confusion, we refer to the latter presentation as the usual A-cube, 
the usual Calculus of Constructions. . . 

W. Thomas (Ed.): FOSSACS’99, LNCS 1578, pp. 90-104, 1999. 

© Springer- Verlag Berlin Heidelberg 1999 
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rj-reduction The study of /?-reduction+r 7 -reduction in dependent type theories dates back to the e 
with Nederpelt’s thesis [21]. Nederpelt showed that /?-reduction+r?-reduction is not confluent on ths 
terms of a dependently typed language d la Church, i.e. with typed A-abstractions. Later, van Dt 
proved confluence of /?-reduction+r?-reduction for (the typed terms of) a language of the Automat 
More recently, Geuvers [14] and Salvesen [24] proved confluence of /?-reduction+r?-reduction for fn 
normalizing Pure Type Systems [4, 5, 14]. Finally, the author [6] recently generalized Geuvers and S 
results by showing that all Pure Type Systems have unique normal forms with respect to /?-redu 
reduction. As for strong normalization, Geuvers [14] seems to be the standard proof of strong norm 
for the extensional version of the Calculus of Constructions. 

(irj-long normal forms The existence of fdrj-long normal forms for the systems of the A-cube was fir 
by Dowek, Huet and Werner [13], who defined a non-standard induction principle to this end. The i 
principle was later simplified and generalized by the author [6] who showed the uniqueness of f3r]-lon 
forms for all Pure Type Systems and the existence of fdrj-long normal forms for most Pure Type S’ 
interest. 

'rj-expansion for dependent types For systems of dependent types, the notion of r 7 -expansion was firs 
by Ghani [17], who showed that unrestricted /^-expansion is not normalizing for the Calculus of Const 
introduced a restricted notion of r?-expansion, and showed that /?-reduction+r 7 -expansion is confl 
weakly normalizing for the Calculus of Constructions. More recently, the author [6] generalized Ghan: 
by showing that all Pure Type Systems have unique normal forms with respect to /?-reduction+r?-e3 
As for strong normalization, Joachimski [18] has shown that a Pure Type System is strongly normaliz 
reduction+r?-expansion if it is strongly normalizing for /?-reduction. Unfortunately, Joachimski’s no 
expansion is weaker than the notions of r?-expansion that appear in the literature [6, 13, 17], and subs 
its underlying notion of /?r?-long normal form does not correspond to the well-established notion 
17]. We consider it a severe drawback. 

Finally, Di Cosmo and Ghani [10] have considered /^-expansion in the context of the algebraic A 
particular for the Algebraic Calculus of Constructions, and have shown that confluence is a modular 
of the Algebraic Calculus of Constructions. 

Organization of the paper 

The paper is organized as follows: in Section 2, we review the definition of the A-cube. In Section 3, 
strong normalization of /?-reduction-|-r 7 -expansion for the systems of the A-cube. In Section 4, we c 
algebraic A-cube with /?r?-conversion and prove strong normalization of /?-reduction-|-r?-expansion-|- 
reduction for the systems of the algebraic A-cube. Finally, we conclude in Section 5. 

Notation 

We use standard notation and terminology from Abstract Rewriting Systems [19]. In particular, 
the union of two relations and denotes the transitive closure of denotes the 

transitive closure of and =j denotes the reflexive-symmetric-transitive closure of Finally, th< 
is defined by a b if there exists c such that a c and b c. 

An object a is a i-normal form if there is no b such that a b; the set of i-normal forms is 
by NF(i). An object a is i-normalizing if there is some b € NF(i) such that a b] the set of i-no: 
objects is denoted by WN(i). An object a is i-strongly normalizing if all reduction sequences stari 
a are finite; the set of i-strongly normalizing objects is denoted by SN(i). 

2 r 7 -expansion in the A-cube 

2.1 The A-cube 

Throughout this paper, we let S = {*,□}. Elements of S are called sorts. For technical conven: 
distinguish between object variables and constructor variables. This distinction, which originates f 

iri/ 2 ilrlc o FV\/2i ^^1 oc'cifir*oFi/-»T^ T otyityio 



92 



Gilles Barthe 



Definition 1. A rule set is a set S such that S C S x S. Elements of sets are called rules. 
Every rule set S yields a Pure Type System AS as specified below. 

Definition 2 (Pure Type Systems of the A-cube). 

1. The set T o/ pseudo-terms is given by the abstract syntax 



T = V 



a ITT I AF : T.T I TV : T.T 



where F* and F° are fixed, pairwise disjoint and countably infinite sets of variables. 

2. /?-reduction is defined as the compatible closure of the contraction 

{Xx:A. M) N M{x := N) 

where .{. := .} is the standard substitution operator. 

3. r?-reduction is defined as the compatible closure of the contraction 

Aa;c4. (M x) M 

provided x ^ FV(M) where FV(M) is the standard set of free variables of M. 

4- The set Q o/ pseudo-contexts is given by the abstract syntax 



g = {)\g,V:T 

The domain of a context T is dom(T) = {x \ 3t £ T- x : t & T}. 

5. A judgment is a triple T h M : A where T £ g and M, A £ T . 

6. The derivability relation h is given by the rules of Figure 1. If T h M : A is derivable, then I 
A are legal. The set of legal contexts is denoted by TL. 



(axiom) 

(start) 

(weakening) 

(product) 

(application) 

(abstraction) 

(conversion) 



0 h + : □ 
r h A:s 
r,x : A h X ■■ A 
r \- A: B r \- C :s 
r,x:C h A: B 
r h 4 : Si r, X : A \- B : S2 

¥Tlm!^A^B)T72 

r h F : {Bx-.A.B) r \- a: A 



if » 6 F® \dom(F) 

if X £ F® \ dom(F) and A e F U 5 

if (si, S2) £ E 



r \- F a : B{x := a} 
r,x:A\-b:B r \- (Bx-.A.B) : s 



r h XxiA.b: Bx-.A.B 
r \- A: B r \- B' :s 



r \- A: B' 



ifB B' 



Fig. 1. Rules for the A-cube 



The eight Pure Type Systems AS depicted in Figure 2 are collectively known as the X-eube and 
well-known systems: 




System 


S 


Rule set 


Simply typed A-calculus 




(F 


*) 








Polymorphic typed A-calculus 


2 


(f 


*) 


(d, 






Logical Frameworks 


P 


(f 


*) 










P2 


(f 


*) 










til 


(f 


*) 






(°,°) 


Higher-order typed A-calculus 


u; 


(f 


*) 






(□, □) 




Pu; 


(f 


*) 




□) 


(□, □) 


Calculus of Constructions 


Pu = C 


(f 


*) 






( 0 , □) 
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Fig. 2. The A-cube 



2.2 Tj-expansion 

Defining r 7 -expansion for systems of dependent types is not straightforward. As pointed out by G1 
full r 7 -expansion defined by the rule 

M ^x:A. (M x) if T h M : Ux:A. B and M not a A-abstraction 

leads to infinite reduction sequences. Indeed, let = A" : *,x : X ^ X and let B{y) = {Xz:X ^ 
Then 

X ^jjyr) Xz:B{x). {x z) 

^rjy r) Xz:B{Xz:B{x). {x z)). {x z) 

■■■ 

In order to rule out such infinite reduction sequences, Ghani [17] proposes to impose the extra c 
that A is in /?r?-long normal form, where the notion of being f3r]-long normal form is defined by indi 
the structure of terms. 

Definition 3 (Ghani [17]). Let B £ %. A term M € Af is a /?r?-long normal form in context L 
if M is legal in B and one of the following eonditions holds: 

1. M £ S; 

2. M = nx:B. C, fr{B) and fyr.BiC); 

3. XI = Xx:B. N, fr{B) and 

4- M = X Pi ... Pn, B M : A for some A £ CA S and fr (Pi) for i = 1, . . . ,n. 

The set of [irj-long normal form in eontext B is denoted Bp. 

The above definition is also implicitly present in [13]. 

Definition 4 (Ghani [17]). Restricted /^-expansion (in context B) defined by the rule 

M ^rjyr) Xx:A. (M x) if B M : II x: A. B and M not a X-abstraetion and Cr(A) 
and by the eompatibility elauses of Figure 3. 

As argued in [6], this definition is somewhat contrived because: 

1. one needs to define /?r?-long normal forms before defining /^-expansion; 

2. one can only deduce that x is not in ^,^(r_a,;A-^A)-normal form (where A is an arbitrary typ 

R ciir'Vi hVioh A R 
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Based on the above observations, the author [6] suggested that the definition of r?-expansion may be 6 
by requiring that A € NF(/?). Note how Ghani’s counter-example does not apply to such a not 
expansion. 

Definition 5 ([6]). rj-expansion ^rjir) defined by the rule 

M ^rf{r) Aa;:.4. (M x) if F M : IIx:A. B and M not a X-abstraction and A € NF(/? 
and by the eompatibility elauses of Figure 3. 



M N P NP if N ^ Xx:B. {M x) 

M N P M P N 

M ^-rf(r) N Xx:M. P Xx:N. P 
M N Fix'. M. P ^^(r) Px: N. P 

XI — ^?J(r,ar:A) N Xx'.P. XI — ^rf(_r) Xx'.P. Id 

XI ^Ti{r,x:A) N ^ IIx:P. XI ^^(r) Px:P. N 

Fig. 3. Compatibility rules for j^-expansion 



A few words are in order to justify our definition: 

1. In the definition of r?-expansion it is implicitly assumed that x is fresh; 

2. r?-expansion is taken to be a compatible relation as it is folklore that r?-expanding the first arg 
an application would lead to the loop 

M N {Xx:A. M x) N M N 

Similarly one cannot r?-expand A-abstractions as it would lead to the loop 

A.t:.4. M ^rj(r) Xy:A. (A.t:.4. M) y A.t:. 4. M 
It is immediate to see that is a generalization of . 

Lemma 1. If M ^ then M ^rur) 

3 Strong normalization of /^-reduction+rz-expansion for the A-cube 

In this section, we prove that /?-reduction+r?-expansion is strongly normalizing on the legal terr 
A-cube. 

Analysis Many proofs of strong normalization for the Calculus of Constructions (see e.g. [1, 15, 2C 
achieved through the definition of a suitable model construction, in which types are interpreted a 
sets of strongly normalizing A-terms, called saturated sets. Our proof proceeds in a similar way and 
inspired from [25]. There are some minor differences however: 

1. the notion of saturated set is modified so as to account for the peculiarities of /?-reduction-|-r?-e3 
typically of not being substitutive; 

2. in the proof of the soundness theorem, the induction step for the abstraction rule is modified 
take into account the characterization of strongly normalizing terms w.r.t. /?-reduction-|-r?-expf 

The proof is not fully satisfactory, as one would hope to have a modular proof of strong normal! 
/?-reduction-|-r?-expansion for the A-cube. In other words, one would like to reduce (in a weak s 
arithmetic) strong normalization of /?-reduction-|-r?-expansion for the A-cube to strong normalizat 
reduction for the usual A-cube (without having to prove the latter). One possibility, which needs to b 
explored, is to extend the technique of simulating-expansions-without-expansions [11,26] to the Cf 
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Prerequisites The proof is self-contained, except that we make use of the following results. 

Theorem 1 (Geuvers [14]). For the systems of the X-eube: 

1. ^i 3 r} is eonfluent on legal terms: (F h M : A A F h N : A A M N) M XI 

^f)rj enjoys subject reduction: (T h M : A A M N) =t- F \~ N : A 

For the point of view of the proof, the most important consequence of confluence and subject rec 
that the systems of the A-cube are sound w.r.t. convertibility [16], i.e. that every two convertible 
kinds are convertible through well-typed terms. Soundness w.r.t. convertibility is required to prove 
interpretation of types ((.)) preserves convertibility. 

Theorem 2 ([6]). For the systems of the X-eube: 

1. -Arj(r) strongly normalizing on F -legal terms; 

S. preserves (3-normal forms. 

It follows: 

Lemma 2. If F M : A and M € NF(/?) then M € SN(/?r?). 

Proof. By the above theorem, every reduction sequence starting from M € NF(/?) is a rj-reduction 
and hence terminates. 

Finally, we need the following characterization of strongly normalizing terms. 

Lemma 3. Assume (Xx:A. M) N Pi ... P„, £ SN{(3f]{r)). IfA,N € SN(/?r?(F)) and for every N' 
that N M{x := N'} Pi ... e SN(/?r?(r)) then {Xx:A. M) N Pi ... e SN(/?r?(F 

Proof. By an analysis of the possible reduction sequences starting from (Xx:A. M) N Pi ... F„. Ns 
an infinite sequence will be of the form 

{Xx:A. M)N Pi ... F„ Xzi : Bi Xz„^ : B„,. {Xx:A' . M') N' Pi ... P'^ z[ ... < 

-A/irj Aa -1 : Bi Xz„^ : B„,,. (M'{x := N'}) P[ ... Pf, z[ ... z'„ 

^l3rj ■ ■ ■ 

with Bi, ... , B„,„ z[, , 4 € NF(/?) C SN(/?r?(F)) and M', N', P[, . . . , F; € SN(/?r?(F)). By as: 

{M{x := iV'}) Pi ... F„ € SN{(3rj{F)). Now 

{M{x := iV'}) Pi ... P„^f^ Xzi :Bi A^„ : F„. {M'{x := iV'}) P[ ... P(^ z[ ... z( 

so we conclude that the reduction sequence cannot be infinite, a contradiction. 

Lemma 3 is used crucially in proving the soundness of the model construction, more specifically in 
of the (abstraction) rule. 

3.1 Environments 

The notion of environment conveniently captures the notion of infinite context. 

Definition 6 (Pottinger [22]). Tn, environment 6 is an infinite sequence of variable declarations 
Ei,x -2 : E- 2 ,. . . such that for every * > 0 

— f * = OJi : El, ... ,Xi : Fj is a legal context; 

— if 8'^ h .4 : s and s E S then there exists infinitely many k s.t. Eu = A. 

We write £ \- M : A whenever there exists i > 0 s.t. £'‘ h M : A. 

Note that the definition of environment implicitly embeds our variable convention, i.e. for every {x 

£ h .4 : s iff a- € FN 

Lemma 4 (Pottinger [22]). Every context can be extended to an environment. 

Environments are convenient for the purpose of strong normalization proofs, because (up to convc 
an expression has at most one type in an environment and because /^-expansion is stable under thir 
for i ^ j-, ’*'0 have M ^r}(ei) N ^ M ^ryei) N. In the sequel, we therefore omit P and write . 
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3.2 Saturated sets 



Throughout this section, we let f be a fixed environment. We say A is an £-type (or simply a 
£ \- A: s with s € S. Moreover, we let SN(A) denote the set of /?r?-strongly normalizing terms of 1 
£. Finally we let = {x eV\£ h x : A}. 

Definition 7 (Base terms). The set Base(A) o/ . 4-base terms is defined induetively as follows: 
1. C Base (.4), 

if a € Base(nx:B. .4) and b € SN(i?), then ah E Base(.4{a; := b}). 

Key reduction, as defined below, is a specific strategy reducing terms to weak-head normal form. 
Definition 8 (Key reduction). Key-reduction is the smallest reduetion relation satisfying 

{\x:B. a)b Cl ... '-=i} ci ■ ■ ■ Cn 



Note that we do not take the eompatible elosure of the above rule. 

Note that, for every b eT there exists at most one b' E T such that b b' ■ 

Definition 9 (Saturated set). Let A he a type. A set X C SN(.4) is .4-saturated if Base(.4) C . 
is elosed under the rules: 

b E X b b' b' E X b E SN(A) b ^k b' 

E X b E X 

The eolleetion of A- saturated, sets is denoted by SAT(.4). 

The extra clause in the definition of saturated sets is due to Lemma 3.'-^ In order for the definition of f 
sets to make sense, we need to prove base terms are strongly normalizing; otherwise there would nc 
saturated set. 

Lemma 5. For every type .4, Base(.4) C SN(.4). 

Proof. Similar to that of Lemma 3. 

We conclude this subsection by stating some fundamental closure properties of saturated sets. 

Lemma 6. 



1. SN(.4) e SAT(A). 



5. If Xi E SAT(A) for every i E I and I ^ 0 then X( e^AT(A). 



.3. If X E SAT(A) and for every x E X, E SAT(B) thenUx E X. E SAT{nx:A. B), whe 



€ A. Fa, = {M E SN(i7.r: A. B)\'iN E X. M N E Fjv} 



3.3 The Classification Lemma 

It is convenient to base the model construction on a classification lemma, which stratifies the differe: 
of pseudo-terms. The formulation used below is a variant of Geuvers’ Classification Lemma, see e.i 

Definition 10 (Pseudo-objects, pseudo-constructors and pseudo-kinds). The elasses O, 
of pseudo-objects, pseudo-constructors and pseudo-kinds are given by the abstraet syntaxes 

O = V* I AV*:C. O I XV°X. 0\0 0\0C 
C = F° I nV:C. C I nV: K. C | AF*:C. C | AF°:fC. C\CC\CO 
IC = *\ nV:C. K I nV:fC. fC 

We write M N if M E V and N E V for some V E {0,C,IC}. 

We have: 

Lemma 7 (Classification Lemma). If £ h M : A then exaetly one of the three eonditions 
XI eO and AeC (2) M E C and A E X (.3) M E X and A = □. 



^Compare with the similar result for /?-reduction: if A^N^XI{x : 



A} Fi ... P„ e SN(/?) tl 
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3.4 The model construction 



The first step of the model construction is to define an interpretation which assigns to every pse 
the set of possible interpretations for its inhabitants. Below we let 1 denote an arbitrary one elemen 
write B : K instead of i? € {M £T \ £ b M : K). 

Definition 11 (Possible values). The map a : T ^ Set and the relation =aC a(A) x a{A 
A £ T) are defined by 



a{A) = 



f SAT(A) 



iw 



if £ h A : * or £ h A : □ 

: Ki.fB e a{B) ^ a{A B) if£hA: BaiKi. K -2 and K-, 

A (VS, B' : Ai. B B' ^ /b =a /b')} 

otherwise 



and 



X =aV = 



X = y if £ \- A : * or £ \- A : Q 

'iB : Ki. 'iz £ a(B). xb z =k-2{x-.=b} Vb z if £ b A : IIx:Ki. K -2 and K 2 £ h 

true otherwise 



In the sequel, we let A = 

The interpretation preserves convertibility. 

Lemma 8. If A and B are legal terms in £ and A B then a(A) = a{B). 

Proof By induction on the type of A and B. 

The next interpretation maps types and kinds to saturated sets. 

Definition 12. 

1. A valuation is a pair (p, 0 with p : V ^ T and C, : V ^ A. 

£. The extension (|.|)p : T ^ T of p is defined as the unique eapture-avoiding substitution extendi: 
3. The extension (i-))(p^Q :T A of ( is defined as follows: 

{{x}}(p,o ifxEV 

{{«))(/),«- SN(s) ifseS 

{{Hx : A.S))(,,„ ^liP^ ((^))(.,C)-irt(,,«(S,F) 

((M - (((M))(,,^))^^.p^ mhp,0 */ e d 

{{Xx : A.M))(^,0 = (futi(^,0(M, F))p.(|A|)p */(|Aa: : A.M\)p € C 

— 1 otherwise 

where 



~ ri €^l){p{x:=P),C{x:=c)) 
cea(P) 

furi(p, 0(M,F) = € a{P)4M))^p^,c:=P),ax:=c)) 

and denotes the set-theoretie abstraetion. 

In order to prove strong normalization one first needs to show that, under suitable conditions, v 
preserve typability and that the {{.)) -interpretation of a term is an element of the possible vah 
d . I -interpretation . 

Definition 13. 

1. A valuation (p,() satisfies M : A, written (p,() |= M : A */ 

(a) £ b dM|, : dA|^ 
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2. A valuation {p,() satisfies F, written {p,() |= F, where F is a pseudo-eontext, if (p,0 ^ x : A 
(x : A) € F. 

3. A judgment F M : A is valid, written F \= M : A, if {p,() \= M : A for every valuation 
{p,0^r. 

We need to start with a few technical lemmas. First of all, we show that the interpretation is well 
w.r.t. substitution. 

Lemma 9. Assume that Fi,x : B,F 2 h M : A and Fi h N : B . If {p,Q \= Fi,x : B 
{{M{x := iV}))(p,C) = 

Proof. By induction on the structure of M. 

We also need to show that valuations can always be extended in such a way that satisfaction is pr 
Lemma 10. Let F,x : A be a legal eontext and let {p,0 ® valuation s.t. {p,0 

1. {p{x := N),({x := c)) 1= F,x : A for every N €T s.t. £ \~ N : (|.4|p and c € a{N). 

2. There exists z € V s.t. (p(x := z),((x := c)) \= F,x : A for every c € a{z). 

Proof. By definition of |=. 

The interpretation is preserved under conversion. 

Lemma 11. 

1. Assume F h M,N : A and M N. Then for every valuation {p,C) 

{p,0^r. 

2. Assume F M : A. Then {{M))(p^Q = {{M))(p^^) for every valuations {p,0 (p'tO • 
(p, 0 1= r, ip', c) 1= and p =i3rj p'? 

Proof. (1) By confluence and subject reduction of it is sufficient to consider the case where M 
The proof proceeds by induction on the structure of M. (2) Similarly, it is sufficient to consider 
where p p' . The proof proceeds by induction on the structure of M. 

We can now prove the following result. 

Proposition 1. If F M : A then T |= M : .4. 

Proof. By induction on the structure of derivations. We treat three cases: 

1. assume that F M : Am derived using (product). Then A = s -2 and M = IIx:B. C. Moreove: 
rule of the derivation is of the form 



F h B-.si F,x -. B h C : S 2 
F h nx:B. C : S 2 

Assume {p, () |= F. To show {p, 0 |= FIx:B. C : S 2 - 

(a) To prove £ b ^IIx:B. (7|)p : S 2 - By induction hypothesis, {p, 0 |= i? : si. In particular f b (| 
Moreover there exists by Lemma 10 a variable ^ s.t. for every c € a{z), 

(pix := z),C(x := c))^ F,x : B 

By induction hypothesis, £ b ^C^p{x:=z) '■ « 2 - We conclude by (product). 

® is extended to valuations in the obvious way, i.e. p p if there exists x eV such that p{x) 
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(b) To prove {{IIx:B. C))(^p^Q £ a{^IIx:B. C\)p). Note that it is enough to show that 

{{nx-.B. C))^p^^) e SAT{inx:B. CIp) 

By induction hypothesis, {{B))fp^Q € SAT(^B^p) and 

ViV e r. Vc e a{N). {p{x := N).X{x ■.= c)) ^ r,x ■. B ^ m(p(..=NU(.:=0) € SAT((|C' 

By Lemma 10 . VA £T.'ic£ a(N). £ £ N : (|S|)p ^ {p{x := N),C(x := c)) j= B,x 

hence VIV eT.VcG a(IV). £ h N: ^ ((C'))(Ka.:=iV),c(.:=c)) e SAT(dC 7 |)^(,,=^)) 

2 of Lemma 6, 

VJVeT.£h JY: IBIp ^ f| ma.:=c)p(.:=N) e SAT((|C'p^(,,=^)) 

c<Ea(N) 

We conclude by part 3 of Lemma 6. 

2 . assume that T h M : .4 is derived using (application). Then M = Mi M-2, A = C{x := M2} an< 
rule of the derivation is 

r £ Mi: {nx: B.C) B h M2 : B 
r h Ml M2: C{x := M2} 

Assume (p, () |= F. To show {p, () |= Mi M2 : C{x := M2}. 

(a) to prove £ b (|Mi M2^p : ^C{x := M2}|^. It follows directly from the induction hypothesi 

(b) to prove that ((Mi M2))(px) £ a(d-^i Al2^p)- There are two cases to distinguish: 

i. If dMi M2^p i C, then a((|Mi M2 y = {1} and ((Ml M2))(p^Q = 1, so we are done. 

ii. If ^M^p £ C then by induction hypothesis, {{Mi))f^p^0 £ a(^MXp) and {{M2))(^p^Q £ a 
Now ^MXp £ C and hence (((Mi))^p_0)pi2pp((M2))(p_0 £ a((|Mi M2^p) and we are don 

3 . assume that F \- M : .4 is derived using (abstraction). Necessarily M = Xx'.B. N, A = Ux: B.C 
last rule of the derivation is 



F,x : B N : C F {nx:B. C) : s 
F h Xx:B.N -.nx: B.C 

Assume {p, Q |= F. To show (p, 0 |= Xx:B. N : Ux:B.C. 

(a) To prove £ h ^Xx:B. N^p : ^Fx'.B. C^p . By Lemma 10, there exists ^ € V s.t. for every c 

(p(x := z),((x := c)) 1 = r,x : B 

By induction hypothesis, 

£ h lFx:B.CIp: s 

We conclude by (abstraction). 

(b) To prove that {{Xx:B. N))(p^Q £ a{^Xx:B. N^p). There are two cases to distinguish: 

i. If ^Xx:B. N^jp ^ C, then a{^Xx:B. A|p) = {1} and {{Xx:B. N))(^p^Q = 1, so we are done. 

ii. If ^Xx:B. € C, then we have to show that for every P such that £ \~ P : (|i?|)p: 

(a) {{{Xx:B. N))fp^Q)p Q £ a{^Xx:B. N^p P) for every Q £ a{P); 

1 / 3 ) {(lXx:B. N))(p^q)p = {([Xx-.B. N))(p^0)pi for every P' £ T legal in £ and s.t. P =pp 
By definition, {{{Xx:B. N))00))p Q = {{N)}00:=p),C{^-:=Q))- We conclude the proof c 
Lemma 10 and induction hypothesis. As for (/?), we conclude by Lemma 11. 

We now turn to soundness, which states that under suitable conditions, (|M|p £ ((.4))(^_^) when? 
M : A. We begin with some definitions and preliminary results. 



Definition 14. 

1. A valuation (p, () semantically entails M : .4, written [p,Q |=® '■ A? If {p-X) |= 



100 



Gilles Barthe 



2. A valuation {p,() semantically entails F, written {p,() |=® F, where F is a pseudo-eontext, if 
X : A for every {x : .4) G F. 

3. A judgment F \~ M : A is sound, written F \= M : A, if {p,Q |=® M : A for every valuation 

{p ,0 K r. 

The following lemma shows that valuations can always be extended in such a way that satis; 
preserved. 

Lemma 12. Let F,x : A be a legal eontext and let {p,0 be a valuation s.t. {p,0 |=* ■ *■ 

1. (p(x := N),({x := c)) F,x : A for every N £T s.t. £ \- N : (|.4|p and c € a{N) and N £ {(. 

2. There exists z € V s.t. {p{x := z),C,{x := c)) |=® F,x : A for every c € a{z). 

Proof. By definition of |=®. 

Finally, we prove that the model construction is sound. 

Proposition 2 (Soundness). If F M : A then T |=® M : A. 

Proof. Note that we only have to show that (|M|)p € {{A))(^p^Q whenever {(,p) |=® F. We treat thre 

1. assume that T h M : .4 is derived using (product). Then A = s -2 and M = FIx:B. C. Moreove: 
rule of the derivation is of the form 



F h B-.si F.,x -. B h C : S 2 
F h nx:B. C : S 2 

Assume {p,0 |=® F. To show ^IIx:B. C^p 6 ((s2))(p,c)- Note that ((s2))(p,c) = SN(s 2 ) so w<; 
prove that iJITx-.B. C^p is strongly normalizing. By induction hypothesis, both (|i?|p and (|(7|, 
{p',(') |=* strongly normalizing. By Lemma 12, there exists € V and c € 

{p{x := z),C,{x := c)) |=® F,x : B. Hence ^C^p(x..=z) is strongly normalizing. Thus ^nx: 'i 
strongly normalizing. 

2. assume that F M : Ais derived using (application). Then M = Mi M 2 ., A = C{x := M 2 } an< 
rule of the derivation is 

r h Ml : {Fx: B.C) F h M 2 : B 
r h Ml M 2 : C{x := M 2 } 

Assume {p,Q |=® F. To show (|Mi M 2 ^p € {{C{x := M 2 }))(px). By induction hypothesis, 

mih e {{nx-.B. C7))(,,o e ((i?))(,,c) m^hp,o e a((|M 2 |,,) 

By definition of {{nx:B. C))^p^q4Mi M-i^p £ ncea.((]Af 2 Pp)((C'))(/>G:=(]Af 2 p„),C(a^:=c))- A fortiori 

(|Mi M-2 ^p £ {{C'))(p(s:=0Af2Pp),C(^:={{Af2))(p,c))) 

By Lemma 9, (|Mi M 2 I,, € {{C{x := M 2 }))(p, 0 - 

3. assume that F \- M : .4 is derived using (abstraction). Necessarily M = Xx'.B. N, A = IIx:B.C 
last rule of the derivation is 



F,x : B N : C F {nx:B. C) : s 
r h Xx-.B. N : Fx-.B. C 



Assume (p,C) |=® F. To show that ^Xx:B. N^p £ {{Fx:B. C))(p 0 ), or by definition of {{Fx:L 
that 

^P€{{B))0^0.IXx:B.NlpP£ f| {(i?))(,(.:=P),C(x:=c)) (*) 

c<Ea(P) 

By induction hypothesis and Lemma 12, is a saturated set whenever P £ 

and c € a{P). By definition of saturated sets, (*) follows from: 
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(b) for every P e ^l^^p{x-.=P) € ricea.(P)^(-®))(Ka^:=-P),C(a^:=c))- 

The latter is a direct consequence of the induction hypothesis and part 2 of Lemma 6. As fo 
need to prove by Lemma 3 that is strongly normalizing and that (|A^|)p(a;:=p') for everj 
that P ^f3Tj P'. As P' e {{B))fp^Q for P B’ ^ both follow from the induction hypothesis. 

It follows that legal terms of the systems of the A-cube are strongly normalizing w.r.t. /?-redu 
expansion. 

Theorem 3. For every system of the X-eube: P M : A ME SN{/3r]{r)) 

Proof. Without loss of generality, we can assume P ={), as 

xi : Ai, ... ,Xn : An M : B () h Aa^i : Ai Xxn '■ A„. M : Uxi : Ai IIx 

Xxi : Ai Xxn : A„. M e SU{(3rj) ^ M E SU{(3fj) 

Then for every valuation (p,^), (|M|p € {{A})(p^Q E SAT((|A|p). In particular, (|M|)p € SN( 

(|M|)p = M so we are done. 

4 Strong normalization of the algebraic A-cube 

In this section, we introduce the algebraic A-cube and show that strong normalization is a modular 
of the algebraic A-cube, provided the underlying term-rewriting system is non-duplicating. 

4.1 The algebraic A-cube 

The algebraic A-cube is obtained from the A-cube by aggregating many-sorted rewriting systems to 
systems. As in [7,8, 10], we shall only consider first-order term-rewriting systems. Note however t 
are other presentations of the algebraic A-cube based on higher-order rewriting systems, see e.g. [3 

Definition 15. A signature S consists of a pair {A, {Fnps)weLht{A),seA) where A is a set of univi 
{Fw,s)v<eList(A),seA on indexed family of pairwise disjoint sets of function symbols. In the sequ 
^ ~ Utt,eList(/i),se/i 

Below we let A7 be a fixed signature and assume given a fixed countably infinite set of variables lA 
universe r. 

Definition 16. The set Ts{t) o/r-terms is defined by the clauses: 

1. if X E V't, then x E Ts{r); 

2. if f E F(r^,...,T„),T and F E Tsixi) for i = I, . . . ,n, then f{ti ,.. . ,t„) € Te{t). 

As usual, we let var(t) and mvar(t) denote the set and multiset of variables oft respectively. 
Finally, we define term-rewriting systems. 

Definition 17. A term-rewriting system IZ is an indexed set {Rr)reA such that Rt C Ts{t) x T 
var(l) C var(r) for every {l,r) E Rt. We say It is non-duplicating */mvar(l) C mvar(r) for every (I. 
Basic concepts, such as the rewriting relation and termination, are defined in the standard way, see 
Throughout this section, we let 77 be a fixed term-rewriting system. Every rule set S yields an 
type system AS -h 77 as follows. 

Definition 18 (Algebraic Type Systems of the algebraic A-cube). 

1. The set T o/ pseudo-terms is defined by the abstract syntax 

r = V* I I * I □ I rr I af : r.r | pv : r.r i a i f 

2. Algebraic reduction -A-ji is defined by the rules (7[0I] -A-ji C[9r] where (l,r) is a rule, C[.] is 
(in the terminology of rewriting) and $ is a substitution. 

3. /3-reduetion, rj-rednetion. . . are defined as in Section 2. 

4. The derivability relation h is given by the rules of Figure 1 except for the conversion rule, and 
of Figure 4. 

In the conversion rule, one could have used /^-expansion instead of r?-reduction. The important po: 
to allow conversion, especially algebraic conversion, as it would lead to an inconsistent system e.| 

circToTYi Ac\^y-\c\A V\ir TV\/2 i r*iil/2io r\v’( nr> ai\ i. nr> r\f (.T ^ O .T F 7 l 
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(universe) 

(function) 

(conversion) 



() ha:* 

r h Ml : ai ... r h Mn : <7n 
rh/(Mi,...,M,):r 
r \- A: B r \- B' : s 
r \- A: B' 



if a G A 

if / € ... 



ifs s' 



Fig. 4. New rules for the algebraic A-cube 



4.2 Proof-irrelevance 



One major obstacle with the algebraic A-cube is subject reduction. As shown in [3], subject redui 
be proved directly, but the proof is extremely complex and lengthy. A simpler alternative, suggests 
author in [7], is to define a proof-irrelevant algebraic A-cube, for which subject reduction is trivial to s 
to show that the algebraic A-cube is a subsystem of the proof-irrelevant algebraic A-cube, and to 
by showing the latter to be strongly normalizing. We begin by defining the proof-irrelevant algebra! 
As a preliminary, we define pseudo-objects, pseudo-constructors and pseudo-kinds. The definition 
identical to the one of Section 3. 

Definition 19 (Pseudo-objects, pseudo-constructors and pseudo- kinds). The elasses O, 
of pseudo-objects, pseudo-constructors and pseudo-kinds are given by the abstraet syntaxes 

O = V* I F I XV*:C. O I XV°-X. 0\0 0\0C 
C = I A I nV:C. C I nV: K. C | AF*:C. C \ XV°X. C\CC\CO 
IC=*\ nV:C. K I nV-.K,. K 

Intuitively, proof-irrelevant type systems are obtained by identifying all the pseudo-objects in the C( 
rule. This motivates the definition below. For technical convenience, we assume the term-rewritin 
under consideration to contain a specific constant •. 

Definition 20. 



1 . 



The 



proof-irrelevant skeleton |.| : T ^ T is defined induetively as follows: 



|M| = . 

|v| = V 



\M N\ = \M\ |iV| 
|Aa::A. M| = Aa-:|A|. |M| 
nx:A. b\ = nx:\AL \B 



ifM € O 
ifx e U AU<S 
if (M N)^0 
if (Xx:A. M)^0 



2. The proof-irrelevant conversion ~ is defined by M ~ N \M\ \N\. 

3. The relation F h^” M : A is obtained from the rules of the algebraie X-eube by replaeing the ei 
rule by 

F hF M : A F hF B :s „ 

if A "2:1 B 

F hP' M : B 



As in [7], one can show the systems of the algebraic A-cube to be sound w. r.t. proof-irrelevanee, i.e. 
system of the algebraic A-cube 

F h M : A ^ r l-P' M : .4 



To prove strong normalization of the algebraic A-cube, it is thus enough to prove 



r hP' M : .4 ^ Me sn{(3fi{F)n) 



The gain is that proof-irrelevant systems enjoy soundness w.r.t. convertibility and subject reducti 
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4.3 The model construction 

The model construction is extended by setting = SN((t) for every universe a. The proof of s 
proceeds as before, except for: 

1. the conversion rule: one needs to strengthen Lemma 11 by replacing =pp by One proceeds . 

2. the function rule: one needs to use the following result. 

Lemma 13. IfTZ is non- duplicating and terminating, f E F({n, ... ,cr„),T) and 6 ti : ai for 1 
then 

€ SN((Tj) forl<i<n f{hf • • • , € SN(r) 

Proof (Sketch) Termination is a persistent property of non-duplicating term-rewriting systems 
is terminating on algebraic pseudo-terms and more generally on pseudo-terms, see [8]. To < 
proceed exactly as in e.g. [2] , using the notions of cap and aliens. 

It follows that strong normalization (under /?-reduction-|-r 7 -expansion-|-algebraic reduction) is a 
property of the systems of the algebraic A-cube, provided the underlying term-rewriting systen 
duplicating. 

Theorem 4. For every system XS + TZ of the algebraic X-eube: F M : A ME SN( 

provided TZ is terminating and non-duplicating. 

Theorem 4 partially solves a conjecture by Di Cosmo and Ghani [10]. Alst Theorem 4 is not fully sai 
since one would like to drop the condition of the term-rewriting system being non-duplicating. T 
to prove Lemma 13 for an arbitrary terminating term-rewriting system. One possibility, which n© 
further explored, is to use the techniques of [8]. 

5 Conclusion 

This paper brings new light to /^-expansion in systems of dependent types. In particular, we have f 

1. /?-reduction-|-r 7 -expansion is strongly normalizing for the systems of the A-cube; 

2. /?-reduction-|-r?-expansion-|-algebraic reduction is strongly normalizing for the systems of the 
A-cube, provided the underlying term-rewriting system is terminating and non-duplicating. 

In the future, it would be interesting to study strong normalization of /?-reduction-|-r?-expansion 
Type Systems. We therefore conclude with the following conjecture:"^ 

Conjecture 1. For every specification S such that A/jS is strongly normalizing w.r.t. AS is 
normalizing w.r.t. 

A similar conjecture for ^^,^-reduction has been formulated by Geuvers [14]. 

Conjecture 2 (Geuvers). For every specification S such that XpS is strongly normalizing w.r.t. - 
strongly normalizing w.r.t. ^(jp- 

Our conjecture implies his, as 

AS is strongly normalizing w.r.t. =► AS is strongly normalizing w.r.t. 

=► AS is strongly normalizing w.r.t. 
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Abstract. We research the problem of typability in the functional lan- 
guage ML extended with both atomic and polymorphic subtyping. The 
paper analyses the interaction between polymorphism and subtyping and 
gives an algebraic characterization of the typability problem. 



Introduction 

Type reconstruction and type-checldng are a form of ensuring program correct- 
ness. They prevent run-time errors and often even logical errors in program 
design. 

Subtyping is a form of extending the type discipline which gives programmer 
more freedom while retaining advantages of type correctness. Since the semi- 
nal paper of Mitchell [Mit84] it has attracted a lot of interest. Several ways of 
extending ML polymorphic type discipline with subtyping have been proposed, 
but the question of complexity of type reconstruction in such systems remains 
open. 

In this paper we and give an algebraic characterization of typability in such 
system, similar to one that led to establishing exact complexity of the typability 
in pure ML. \Ne hope that the characterisation proposed in this paper will allow 
to achieve similar result for ML with subtyping. 



Contributions and organization of the paper 

In the first section of the paper we analyse the interaction between polymorphic 
and atomic subtyping. We introduce a system of subtyping for ML types being 
a natural restriction of the Mitchell’s system [Mit88] to ML types, enriched with 
the subtyping between type constants. In contrast to to the Mitchell’s system, 
the relation induced by our system turns out to be decidable (in polynomial 
time, actually). Furthermore, we prove that polymorphic and atomic subtyping 
can be in certain sense separated. 

* This work has been partially supported by Polish KBN grant 8 TllC 035 14 

W. Thomas (Ed.): FOSSACS’99, LNCS 1578, pp. 104-119, 1999. 
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In Section 2 we introduce a type system for ML with subtyping. In contrast 
to the previous work in this area, we try- to keep this extension as simple as 
possible and thus do not propose to extend the syntax of types, but merely to 
add the subtyping rule. The resulting system turns out to behave very differently 
to its ancestor and enjoys some interesting (even if not very encouraging from 
the practical point of view) properties. 

The paper [KTU90] provides an algebraic characterization of typability in ML 
by the “acyclic semiunification problem” (ASUP) — a variant of the unification 
problem. In section 3 we propose a generalization of ASUP allowing to accom- 
modate subtyping. In the final section we show that such extension is sufficient 
to provide an algebraic characterization of typability in our system. 

1 Preliminaries 

1.1 Terms 

We concentrate on a subset of ML terms essential for type analysis: 

M ::= c \ X | Xx.M | Mi M 2 | let x — M± in M 2 
(x stands for variables and c for constants) 



1.2 Types and type schemes 

Given a set of type variables (a, /3,j, . . .) and a (finite) set of type constants 
(like char, int, real, . . . ) , we define the set of (monomorphic) types 

r ::= « | a | r r 

where «. stands for type constants. 

Further, we define the set of (polymorphic) type schemes 

a ::= Vai . . . a„.r 

In the sequel we shall use the abbreviation Va.r, and a notational convention 
that a (possibly with indices) will stand for type schemes and r, p (possibly with 
indices) for (monomorphic) types. 

If a ^ FV{a) then Va.cr is called an empty binding. A type scheme containing 
only empty bindings is called singular. 

1.3 Subtype partial orders 

We assume there is some predefined partial ordering <« on the type constants. 

We introduce a system of subtyping for ML types being a restriction of the 
Mitchell’s system [Mit88] to ML types, enriched with the subtyping between 
constants. The system derives formulas of the form a < r, where a and r are 
type schemes. 
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Axioms: 



(refi) cr < a 

(inst) Va. a < V/3. <r[p/a], pi are types; /?,. ^ FF(Va. a) 



Rules: 



(const) 



K'2 

«-i < k -2 



p' < p T < t' 

p ^ T < p' ^ r' 



(V) 



Va. <7 < Va. <t' 



(trans) 



cr < a± 7i < a' 
a < a' 



We write H <r < <r' to indicate that <r < <r' is derivable in the above system. 
We shall also write h^r for derivability without using the axiom (inst) (and use 
^(T CTi < (j ‘2 as a a short.hand for ai <(t 1 J 2 ) and for derivability without 
mentioning type schemes at all. 

We shall use the symbol V to denote the relation generated by the (inst) 
axiom. 

It is worthwhile to observe that this is not a conservative restriction of 
Mitchell’s system, i.e. if we allow substituting polymorphic types in (inst), we 
can infer more inequalities between ML types. A simple example here is the 
inequality 



Va.((a — y I3) — y a) ^ (a — y I3) — y y 



which is derivable in the Mitchell’s system but (as follows from Theorem 1.7) not 
in ours. On the other hand an important consequence of allowing only monomor- 
phic instance is the following 



Proposition 1.1. The relation < is deeidable. 



Proof. This can be deduced from the results contained in [OL96]. In fact one 
can even prove that it is decidable in polynomial time. 

Lemma 1.2. //H <r < <r' and a is singular then 

1. FV{<J) = FV(a') 

2. the derivation eontains only singular type sehemes (in partieular a' is singu- 
lar). 

Lemma 1.3. //h r < t' (with t, t' monomorphie) then there is a derivation of 
this inequality whieh contains only monomorphie types. 



Lemma 1.4. The relation < is reflexive and transitive. 
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Lemma 1.5. If a <jr <Ji ^ a' then there exists <72 sueh that 

O' ^ 02 <(T o' . 

Lemma 1.6. If <7o < <Ji then V7. (Jq A V7. <Ji. 

Proof By the definition of we have (Jq = Va. <7 and <7i = o\JI/a] for some 
(7, p. We have to consider two cases: 

1. 7 C FV (yd. a). Then we have 

V7'.Va. <7 ^ yd. V7. <7[7'/7, d/d] = V(J. V7. (7 ^ V7.(7[p/a] 

2. 7 ^ FV (yd. a). Then we have 

V7.Va. (7 ^ Va. <7[7'/7] = Va. <7 V V7. <7[p/a] 

In both cases the thesis follows from the transitivity of V . 

Theorem 1.7 (Normalization for <). //b <7 < < 7 ' then there exists <7i sueh 
that 

O <Ol <cr o' 

Proof Again we proceed by induction on the derivation. The basic cases i.e. ax- 
ioms, and (const) are trivial. The rule (trans) can be handled by Lemma 1.5. 

If the last rule in the derivation was (-P-) then all components must be 
monomorphic, and by Lemma 1.3 there is a derivation of the inequality in h^,. 

Having said that, we only have to consider the case when the last rule was 
(V): 

o < o' 

Va.i7 < Va.cr' 

By the induction assumption, there exists <7i such that 

O y Oi <cr o' . 

But then, by Lemma 1.6 we have that 

Va. (7 y Va. i7i 

On the other hand, obviously if <7i <jr a' then Va. <7i <cr Va. a'. 

Proposition 1.8. In the < ordering, every set of type sehemes has a lower 
bound. 

Proof It is easy to see that for every type scheme <7 



Va.a < (7 
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(CON) h c : K.(c) for c G iC 
(VAR) E{:c : ct) h .r : c7 



(ABS) 

(APP) 



E(x : t) M : p 
E h Xx.M : T ^ p 
E \- A4 : T ^ p E \- N : T 
E h MN : p 






(INST) 



£■ h M : Vg.cT 

£■ h : cj[p/a] 



(LET) 



E \- AI : (Jo E{x : cro) N ■. cr 
E h let X — M in N : a 



Fig. 1. A reference ML type system, \~ml 



2 Type systems 



2.1 The traditional type system for pure ML 



We assume that we have a fixed set of constants Q, and for each c G Q its type 
«.(c), built only with type constants and arrows, is known. 

The system depicted in Figure 1 will serve as a reference type system for 
ML [DM82,CDDK86,KTU90]. We shall use the symbol Hml to denote derivabil- 
ity in this system. 

The simplest way to extend this system with subtyping is by adding the 
subsumption rule 



(SUB) 



E h M : T T < p 
E h M : p 



In the sequel by Hml< we shall understand the system Hml with the subsumption 
rule. 

We shall say that a derivation is normal if subsumption rule is applied only 
to variables and constants. 



Lemma 2.1. If E Hml< M '■ t then there is a normal derivation ending with 
this judgement. 
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2.2 An alternative type system for ML 

Kfoury et. al, in [KTU89,KTU94] suggest an alternative (equivalent) type infer- 
ence system for ML, which is better suited for complexity studies^ 



(CON) 


h c : k(c) for c G a 


(VAR) 


{x : a)\- X ■■ T for (7 A r 


(ABS) 


E{x : r) h M : p 
E h Xx.M : T ^ p 


(APP) 


E \- M : T ^ p E \- N : T 
E h MN : p 


{LET) 


E \- M : p E{x : Va.p) h iV : r ^ 


E h let X — M in N : t 



Fig. 2. An alternative type system for ML, \~ ml * 



Proposition 2.2. For every term M, it is typable in Hml* ijf H is typahle in 
Hml- 

For proof, cf. [CDDK86,KTU90]. 

Subtyping can be added here by replacing the instance relation in the axiom 
with the subtyping relation defined in the section 1.3. . . 

E{x : a)\^ X :t if h (J < r 

. . . and modifying an axiom for constants: 

(CON) h c : r if h «<c) < r 

We shall denote derivability in the resulting system by the symbol Lmlj, • 

Theorem 2.3. For every environment E, term M and monomorphic type r, if 
a C FV{t) - FV(E) then 

E Hml< M : \fd. T iff E hyiLy M : r 

In other words for every term M, it is typable in byiLy iff it is typable in bML< ■ 



^ This system is called h* in [KTU90] 
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Proof. The right-to-left implication becomes obvious when we observe that Hml* 
can be viewed as a subset of Hml< , and that under given assumption generab 
ization over a is allowed in Hml< • 

The proof of the left.-to-right implication may proceed by induction on deriva- 
tion; the only difference from the Proposition 2.2 lies in the rule (SUB): 

E h M : Va. r Va. r < V/3. r' 

(SUB) 

E h M : V/3. t' 

Because of the n_ormalization theorem for < , it is sufficient to consider the cases 
when Va. r ^ V/3. r' and when Va. r <cr V/3. r'. 

In the first case it follows that r' = r\J)/d]. By the induction assumption we 
have that 

E Hml/, M : T 

and want to conclude that 

E Umlj, M : r[p/d]. 



It is easy to see that 

E[p/d] Hml/, M : T[p/d] 

but since a’s cannot be possibly free in E, we have that E[pla] = E. 
Now consider the case when 



Va. r < V/3. r' 

It is easy to prove that in this case a = /3 and t < t' with r, r' monomorphic. 
A routine checlc that in this case if E Uml/, M : r then E Uml/, M : t' is left to 
the reader. 

Lemma 2.4. Let M he an arbitrary term, x a free variable, oeeurring k times 
(k >1) in M, and let N = Xxi . . . Xk-M' , where M' is a term obtained from M 
by replacing subsequent occurrences of x with Xi,. . . ,Xk respectively. Then M is 
typable iff N is, or, more precisely 

1. If E{x : a) h M : r then E k N : px ^ ^ p}. ^ t for some pi, . . . ,pk 

.such that a < pi for i = 1, ... ,k. 

2. If E k N : pi ^ ^ Pk ^ T, then there is a such that Efx : a) k M : r. 

2.3 Example 

The example depicted in Fig. 3 illustrates an important difference between ML 
and ML<: 

Assume we have two type constants i, r (one can think of them as representing 
for example int and real), with i < r, an atomic constant pi of type r and a 
functional constant round of type r i. Now consider the following term: 



let t = (A/. Xx.f (/ x)) in t round pi 




Fig. 3. A type derivation in ML< 
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This term is not typable in ML but is typable in ML^. In fact all its normal 
typings mention only monomorphic types. One of this typings is presented in 
Fig. 3 Here, the context in which t is used, has ’forced’ inferring a monomorphic 
type for it, even though its definition allows to infer an universal type, e.g. 
Va.a a. 

This example illustrates consequences of the fact that M L< has no principal 
types property, and shows that this type system is in a way ’not compositional’, 
whereas for ML, the following holds: 

Proposition 2.5. For any terms Ni,N->, 

E Hml let X — Ni in : r 



iff 



E{x : a) Lml iV2 : r 



where a is a principal type for N± . 



3 Sub typing and Semi-Unification 

3.1 Semi-uniflcation 

The Semi-Unification Problem (SUP) can be formulated as follows: An instance 
r of SUP is a set of pairs of (monomorphic) types. A substitution S is a solution 
of r ={ (ti , ui ),..., (t„ , u„) } iff there are substitutions i?i , . . . , such that 



RiiSih)) = S(ui), . . .,RffS(t„)) = 5(«„) 

The problem is to decide, whether given instance has a solution. 

A variation of this problem including subtyping can be formulated by redefin- 
ing solution of E as follows: 5 is a sub-solution of E iff there are substitutions 
Ri,.. . ,Rn such that 

Ri(Siti)) < S(ui), . . .,RffS(tn)) < 5(«„) 

The Semi Sub-Unification Problem (SSUP) is to decide whether given instance 
has a sub-solution. 

Proposition 3.1 ([KTU93]). SUP is undeeidable. 

Corollary 3.2. SSUP is undeeidable. 

3.2 Acyclic semi-uniflcation 

An instance E of semi-unification is aeyelie if for some n> 1, there are integers 
ri, . . . , r„ and n -f 1 disjoint sets of variables, Vo, ■ ■ ■ , V„, such that the pairs of 
E can be placed in n columns (possibly of different height; column i contains r, 
pairs): 
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(f2.2,«2.2) ... (f«-2^yn,2) 



(^2,r2^„2,r2) 

where: 

Fo = FV(f^’^)U---UFV(f^’''0 
L-^. = FV(«*^) U • • • U FV(«*’''0 U 

UFV(f+^’^) U • • • U FV(f+^’''‘+i) for 1 < * < n 
y„ = FV(«"’^) U • • • U FV («"’'■") 



The set of terms with variables from Vi is also called zone i. 

The Acyclic Semi-Unification Problem (ASUP) is the problem of deciding 
whether given acyclic instance has a solution. 

Here again, subtyping can be introduced to yield an Acyclic Semi-Sub-Unification 
problem: whether a sub-solution of given acyclic instance exists. 

Proposition 3.3 ([KTU90]). ASUP is DEXPTIME-complete. 



4 The equivalence between ML< and AS SUP 

This section is devoted to the proof of the following 

Theorem 4.1. ASSUP is log-space equivalent to ML< typability. 

The reduction from ML< to ASSUP can be inferred from the original reduc- 
tion from ML to ASUP given in [KTU90]. The differences are mostly of technical 
nature, therefore we omit it here"-^ and focus on the reduction from ASSUP to 
typability. 



4.1 Constraining terms 

For every type variable a, we introduce object variables We assume that 

for every type constant k E Q we there is a constant of this type, and a 

constant of type « Now, for every monomorphic type r, we define 

a term Mr and a context Cr[ ] with one hole simultaneously by induction on r 
(bear in mind that K — Xx.Xy.x): 

1. AU = Cn 

C{k^k) [ ] 



2 The readers keen on details are referred to [Ben96]. 
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2. = ViWi 

C’a-i [ ] = Ui[ ] 

3 . — y-T'^ — T\ ['^] 

C'n^..[] = C.,[[ ]M.J 

Intuitively, Mr can be used wherever enforcing r as a lower bound is needed. 
Dually, the context Cr[ ] imposes r as an upper bound for types of the term 
placed inside it. These intuitions are formalised in the following 

Lemma 4.2. Let t, p\, . . . , pi, p\, . . . , p\, p(, ■ ■ ■ , pf be arbitrary types such that 

FV(r) C {ai, . . .,ae}. 

Pi < Pi for 1 < f < i 

Furthermore, let S be a substitution such that p\ < S{ai) < pf for 1 < i < i. 
Then for any term N and environment E such that 

E D {vi : pj ^ pf, v’i : Pi I 1 < i < t} 

we have for every type t" : 

1- If 

E h Mr : r" 



then S{t) < t" 

2. If 



E h C,[iY] : r" 



then 

EhN : S{t) 



Lemma 4.3. Let r,pi, . . . ,pi be arbitrary types such that 

FV(r) C {ai, . . . ,ae}- 

Furthermore, let S be a substitution such that S{a.i) = Pi for 1 < i < i. Then 
for any term N and environment E such that 

E D {vi : Pi pi,Wi : Pi I 1 < i < €} 



we have 

1. Eh Mr : S(t) 

2. If E h N : 5(r), then there exists t" such that E h Cr[iV] : r" 
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4.2 The encoding 

Consider an instance F of ASSUP. Without loss of generality we may assume 
that all the columns of F have an equal number of inequalities r. 

Let type variables in zone i, for i = 0 , 1 , . . . , n, be: 



••• ) 

for some (4 > 1 , corresponding to which we introduce object variables: 

U»,2,Wi,2, • • • , 

The notation Mr and C'r[ ] introduced earlier relative to singly subscripted 
variables, a, and Vi,Wi, is now extended to doubly subscripted variables, Uij and 
Vij, Wij. We can assume that all the zones have an equal number £ of variables, 

i.e., 

— (-0 — (-1 — ■ ■ • — in 

With these assumptions about F, let us introduce some building blodcs which 
shall be used in the construction of the term Mr'- 
In the sequel by Cf [ ] we shall mean the context 

.... Awj,£.(Auj,i .... Auj,£.[ ]) F_^ 

l times 

where I — Xx.x. 

Define 

= Xz.zMfi,! . . . Mfi,r- 

= c^om 

Further for 1 < / < r, define 

Pi,j = Xpi... Xpi.XiPi . . .piiXyi . . . Xyr-Cnu [yj]) 
and for 2 < i < n and 1 < i < r 

Pi,j = Api . . . Xpi-XiPi . . .piiXzi . . . XzrXiji . . . hjr-Cni-i [yj]) 

and 

N[ — Xz.zPi^ip . . . Pi^i^rMp,! . . . Mp, 

= Cf[Ad] 

Finally we define the term Mr as follows: 

Mr = let xi — Ni in 
let X‘2 — N‘2 in 

let Xn^i - Nn^i in 
let Xn = A'n in A'n+l 



( 1 ) 

(2) 
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4.3 Soundness of the encoding 

Theorem 4.4. If F has a sub-solution then Mr is typaUe. 

Proof. Suppose F has a sub-solution S: 

^ Phi I *' = 0, . . . , n, and / = 1, . . . , £ ] 

There are therefore substitutions such that: Rij(S(pP)) < for every 

i — and j — We shall show that Mr is typable. For i — 

1, . . . , n + 1, define the environment Ej: 



Ei = {vi^ij : pi^ij pi^ij,Wi^ij ■■ pi^ij I 1 < i < £} 

For i = 1, . . . ,n and / = 1, . . . , r, by Lemma 4.3: 

Ei h Mp.j : S(F^) 

and for every i = 2, . . . ,n + 1 and j = 1, . . . ,r there exists a (monomorphic) 
type d'jj-, such that 



We shall prove that h N± : fi , where: 



T~1 — P0,1 p0,i ^ S(t^’’') /?l) ^ 01 



where /?i is a type variable. 

Let 

= S(0P) ^ ^ ^ 01 

The desired property of iYi is easily seen from the following derivation: 
Ei(z : yi) h 2 : yi Ei(z : yy) h Mfi.i : 5(fhi) 



Ei{z : yi) h zMfi.i . . . Alp.r- : /?i 
El h : xi ^ 01 



h Cf[iYl] : a 



By an argument similar to the one about Y"i , one may prove that 



Xi : a i\2 : Pi,i pix ^ 

(a,i a,r ^ 

5(^4) ^ ^ ^ /?2) ^ 02 

we shall call this type a- Similarly, for i = ... ,n + 1 and j = 1, . . . ,r, using 

the fact that Ri^ij(S{f^^’^)) < it is not difficult to checlc that: 

{xi^i : V(^.a^i} b Ni : a 
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where 

Ci = pi^i,e ^ 

^ ^ ^ ^ ^ ^ i3i) ^ i3i 

0i,j — Ri,j(Pi,l) ^ ^ Ri,jiPi,e) ^ 'i-'ij 

for some type 'ipij. 



4.4 Completeness of the encoding 

Theorem 4.5. If Mp is typable then R has a sub-solution, i.e. there exist sub- 
stitutions 5, i?i 4 , . . . , B^n,r sueh that 

Ri,jiS{tij)) < S(^Uij} for 1 <i < n, I < j <r 

Proof Suppose that Mp is typable. This means that, for j = 1, . . . , n + 1, Ni is 
typable in an environment Ei of the form: 

Ei = {xi Xi_i : ai-i } 

where <7i , . . . <t„ are type schemes Although the only free variable in iYj is Xi-i , 
Ei must include a type assumption for every variable whose binding includes Ni 
in its scope. Note that <6 = Ei C ■■■ C E„pi. 

Let Vi denote the set of variables in zone % of E . Note that 



FV{Ni) = 



Fo if i = 1 
U {xi^i} otherwise 



If Ni = Cl[N'^\ is typable in Ei, then there exists an environment Ef and 
types fi,p\^i , . . . , Pi^i, p?i , . . . , such that 



RJivi,]) = p\j ^ pIj 



Ef h Ni : Ci (6) 

Take any S such that p]j < S{aij) < p]j for 1 < t < n, 1 < ;j < i. The 
existence of such S follows from acyclicity of F and (3). Note that S and Ef 
satisfy assumptions of Lemma 4.2. 

First let us focus on the term Ni . The type must be of the form 



Cl = Po,i ^ 1 po,e (n,i 1 ^ Vi 



where 



S(t^’^} < Tij for 1 < / < r 
Pi < i'l 
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Now consider the term There exist an environment E\j D Ef and a type 
'Tpi j such that 

El- h 

Eh H y : Shih 

Since Fi j- occurs in a context let xi = iYi in . . . , the occurrence of Xi in 
it must be assigned a type that is an instance of V(p. ^ . Therefore by the 
Lemma 1.7, there exists a substitution Rij such that 

(9) 

From this, it follows that (( must be of the form 

Cl = Po,l ^ ^ Po,€ ^ W,1 ^ ^ h,r ^ h) ^ h 

since Xi occurs in Pij in the context Xipi . . -PiiXyi • • • Aj/r-C’„yj[j/j], by Lemma 4.2 
we have 

rh < S(u^h 

Since nj occurs positively in ^i, we have Rij{Sh’^) < Rijhij)- turn 
Rijhij) < rf j by 9. From this inequalities, we conclude that 

RijiSh’^)} < 

By the same token, for 2 <i < n + 1,® the type must be of the form 



Ci — ^ 

y • • • — y — t Tgi — !* • • • — !* Ti^r — t — !* ''Ipi 

and for all j the occurrence of Xi in Pij must be assigned a type of the form 



Ci = ^ 

(Ci,i 






1,1 



0i^l^r ^ h,l ^ ^ h,r ^ h) ^ h 



and there must be a substitution F,,j such that 



incite) <c^ (10) 

From this and from the construction of Pij we can again conclude that in fact 
Fjj(S(f d)) < R.j(-Tij) < rf'^- and hence 

RuiSh’^)} < 5(«*d) 



for all i and j. 



* Note that there is no .Tn+i, but there is iVb+i. 
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Abstract. We study a variant of the no read-up/no write-down security property of 
Bell and LaPadula for processes in the 7r-calculus. Once processes are given levels of 
security clearance, we statically check that a process at a high level never sends names 
to processes at a lower level. The static check is based on a Control Flow Analysis for 
the TT-calculus that establishes a super-set of the set of names to which a given name 
may be bound and of the set of names that may be sent and received along a given 
channel, taking into account its directionality. The static check is shown to imply the 
natural dynamic condition. 



1 Introduction 

System security is receiving more and more attention but obtaining precise an- 
swers is often undecidable [10]. However, static analysis provides a repertoire 
of automatic and decidable methods for analysing properties of programs, and 
these can often be used as the basis for establishing security properties. \¥e use 
here Control Flow Analysis that is a static technique for predicting safe and 
computable approximations to the set of values that the objects of a program 
may assume during its execution. To circumvent the undecidability issues the 
analysis “errs on the safe side” by never omitting values that arise, but perhaps 
including values that never arise in the semantics. The approach is related to 
Data Flow Analysis and Abstract Interpretation and naturally leads to a gen- 
eral treatment of semantic correctness and the existence of best solutions. A 
more widely used alternative for calculi of computation is to use Type Systems; 
they also allow a clear statement of semantic correctness (sometimes called type 
soundness) and allow to study whether or not best solutions exist (in the form of 
principal types). The interplay between Type Systems and Control Flow Anal- 
ysis is not yet fully understood, but simple Type Systems and simple Control 
Flow Analyses seem to be equally expressive; however, a main difference is that 
the Control Flow Analysis guarantees that best solutions always exist whereas 
many Type Systems do not admit principal types (and occasionally the issue is 
left open when presenting the type system) . 

W. Thomas (Ed.): FOSSACS’99, LNCS 1578, pp. 120-134, 1999. 

@ Springer-Verlag Berlin Heidelberg 1999 
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Here we elaborate on our proposal made in [5] , that presents a Control Flow 
Analysis for the tr-calculus, which is a model of concurrent communicating pro- 
cesses based on naming, and where we applied it to statically check that a 
process has no leaks, i.e. that a process confines a set of values, devised to be 
secret, within itself. Our new analysis is more accurate than the one in [5], be- 
cause a more careful check is made on the input and the output prefixes, so as to 
identify unreachable code. The result of our Control Flow Analysis establishes 
a super-set of the set of names to which a given name may be bound and of 
the sets of names that may be sent and received along a given channel, when 
used by a process with clearance 1. These super-sets give rise to solutions of 
the form (p, a) and we formulate the Control Flow Analysis as a specification 
of the correctness of a candidate solution. This takes the form of judgements of 
the form (p, a) (=J„g P (where me will be explained later and I is the level of 
security clearance), and a set of clauses that operate on them. We show that best 
solutions always exist and we establish the semantic correctness of solutions in 
the form of a subject-reduction result. 

We apply our analysis for statically checking a dynamic version of the no 
read-up/no write-down property of Bell and LaPadula [4, 11, 12]: a process clas- 
sified at a high level cannot write any value to a process of low level, while 
communications in any other direction is permitted. This requirement is part 
of a security model, based on a multi-level access control, see [4,10]. We first 
define a static check on solutions (p, a) , called discreetness, for when a process 
respects the classification hierarchy. Then we show that a discreet process enjoys 
the dynamic version of the no read-up/no write-down property. 

Overview. Section 2 gives the syntax and the operational semantics of our version 
of the TT-calculus with clearance levels. Our Control Flow Analysis is in Section 
3, together with the semantic correctness of solutions. The no read-up/no write- 
down property is then studied in Section 4. Some proofs are omitted or only 
sketched because of lack of space. 

2 The TT-calculus 

Syntax. In this section we briefly recall the 7r-calculus [21], a model of concurrent 
communicating processes based on the notion of naming. The formulation of our 
analysis requires a minor extension to the standard syntax of the 7r-calculus, 
namely assigning “channels” to the binding occurrences of names within restric- 
tions and “binders” to the binding occurrences of names within input prefixes; 
as will emerge later, this is because of the a-conversion allowed by the structural 
congruence, and the syntactic extension will allow to compute a super-set of the 
actual links that a name can denote. Also, we need a further extension to assign 
a security level to 7r-calculus processes. 

More precisely, we introduce a finite set £ = {#} U {0, • • • , fc} of level labels, 
with metavariable I, consisting both of natural numbers and of the distinguished 
label #, intended as the label of the environment, which is intuitively assumed 
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to have “no level”. The set C is ordered (see Fig. 1) with the usual < relation 
on natural numbers and assuming that and # ^ I. 

Definition 1. LetN he a infinite set of names ranged over by a,b, - ■ ■ ,x,y and 
let T be a distinguished element sueh that N (1 {r} = 0. Also let B be a non- 
empty set of binders ranged over by [3, ff ,■■ ■; and let C be a non-empty set of 
channels ranged over by x-,x' moreover let BuC be the set o/ markers. Then 
processes, denoted by P, Pi,p 2 , Q,R, - ■ ■ £ V are built from names according to 
the syntax 

P ::= 0 I p.P \ P + P \ P\P I (px^)P I [x — y]P | IP | (P)* 

where p may either be x{y^) for input, or xy for output or t for silent moves, 
and where I £ £ \ {#}. Hereafter, the trailing 0 will be omitted (i.e. we write it 
instead ofw.O). 



In this paper we consider the early oper- 
ational semantics defined in SOS style. The 
intuition of process constructors is the stan- 
dard one. Indeed, {Pfi behaves just as P but 
expresses that P has level I, where I £ £\ 
{#}. The labels of transitions are r for silent 
actions, xy for free input, xy for free output, 
and x{y) for bound output. We will use pas a, 
metavariable for the labels of transitions. We 
recall the notion of free names fn{p), bound 
names bn{p), and names n{p) = fn(p)Ubn{p) 
of a label p. Also two partial functions, sbj 
and obj, are defined that give, respectively, 
the subject x and the object y of input and 
output actions, i.e. the channel x on which y 
is transmitted. 



k 

# 1 
0 

Fig- 1- Levels of processes {i < 
i + 1) and of the environment. 



Kind 


p 


fn(p) bn(p) 


sbj(p) 


obj(p) 


Silent move 


T 


0 0 






Free input and output xy, xy 


{x,y} 0 


X 


y 


Bound output 


x(y) 


{y) 


X 


y 



Functions fn, bn and n are extended in the obvious way to processes. 

Congruence. Below we shall need the structural congruence = on processes, 
defined as in [22], apart from the last rule, where restrictions can be exchanged 
only if the restricted names are different, because otherwise {vx^)P = {vx^ )P. 
Then = is the least congruence satisfying: 

- if P and Q are a-equivalent (P =« Q) then P ^ Q; 




static Analysis of Processes for No Read-Up and No Write-Down 123 




“ and (P/=,|,0) are commutative monoids; 

_ !_p = P\\P. 

— {vx^){vy^')P = {vy^){vx^)P li x ^ y, {vx^){Pi\p2) = {vx^)P\\p2 if 
X ^ fn{p2), and {vx^)P = F if x ^ fn(P); 



Semantics. Table 1 shows the annotated early transition system of the tr-calculus. 

The transitions have the form h^'P-^Q, with A G C U {e}, I £ £, L £ £.*. The 

string of level labels L records the clearances passed through while deducing the 
transition, while the index I on h represents the current level. Note that the 
sequence of security levels of the sender and of the receiver are discarded when a 

communication is derived, leading to a transition of the form h*F -yA Q (see the 

rules Com and Close in Tab. 1). As far as the label A G C U {e} is concerned, we 
have that e is used in all cases, apart from extrusions or when input transitions 
have to be used as a premise of a Close rule. In that case the label is x and 
records the actual channel to be associated with the object of the input. Rule 
Match takes care of matching; we have formulated it as a transition rather than 
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as a structural law in order to simplify the technical development (compare [5]). 
Rule V ar ensures that all the rules and axioms can also be used upon all its 
variants. 



3 Control Flow Analysis 

The result of our analysis for a process P (with respect to an additional marker 
environment me for associating names with markers and a label I recording a 
clearance) is a pair (p,cr): the abstract environment p gives information about 
which channels names can be bound to, while the abstract communication envi- 
ronment (7 = (Tout} gives information about the channels sent and received 
by the sub-processes of P with clearance 1. Besides the usage of security levels, 
our present solutions refine those in [5]. In fact, the a component controls the 
values that pass along a channel, more accurately than there. We now make the 
above more precise. 

3.1 Validation 

To validate the correctness of a proposed solution (p, a) we state a set of clauses 
operating upon judgments of the form: 

(P> 0-) l=me P 

The purpose of me, I, p, a is clarified by: 

- me : M ^ (B U C) is the marker environment that associates names (in 
particular the free names of a process) with the appropriate channel or binder 
where the name was introduced; so me{x) will be the marker (in B or C) 
where the current name x is bound. 

- I £ C keeps track of the current security level that the process under valida- 
tion has. 

- p : B ^ p{C) is the abstraet environment that associates binders with the 
set of channels that they can be bound to; more precisely, p(/3) must include 
the set of channels that /? could evaluate to. 

By setting Vy : p(y) = {y} we shall allow to regard the abstract environment 
as a function p: (BUC) ^ p(C). 

- am, (Tout : T ^ (C ^ p{C)) constitute the abstraet eommunieation environ- 
ment. They give the set of the channels that can be bound to the possible 
objects of an input and an output action^ respectively, performed by the 
sub-processes labelled by I, on a given channel y. 



The relation between the abstract communication environment a and the abstract 
channel environment « in [5] is Vy € C : «(y) = (J;g£(mn(0(x) ^aout{l)(x)) in case 
of least solutions. 
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iff 


true 




(Py 


0-) 
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(p, a) P 




(P; 


<x) 




xy.P 


iff 


ip{ine{y)) ^ 0 A p{me{x)) ^ 0) =J> (p, a) 














Vx e pimeix)) : p{me{y)) C (Tout{J)ix) 




(Py 


0-) 




x{y^).P 
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Ui'e£,ve„(„e(*)) ^<>^t{l'){x) / 0 ^ (p, cr) 
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Pi+Pi 
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ipy er) Pi A ipy cr) Pz 




(Py 


<x) 


U 

Y^'Tn& 
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iff 


ip, a) Pi A ip, a) P-2 




(Py 


<x) 


u 


{ryx^)P 


iff 


ipy a) P 




(py 






[* = ylP 


iff 


ipimeix)) n pimeiy)) / 0 V rneix) = me 


(y)) 












=> ip, a) F 




(py 


<x) 




IP 


iff 


ipy er) P 




(py 


<x) 




{pf 


iff 


ip, a) F A ainif) E cr,n(0 A CToutil' 





Table 2, Control flow analysis for the 7r-calculus. 



Note that we use a marker environment because the identity of names is not 
preserved under a-conversions (see rules Ein and Var). In particular, it would 
not suffice to “a-rename the program apart” because as in [5] this property is 
not preserved under reduction. 

The analysis is in Tab. 2. As we are analysing a process P from scratch, 
we assume that the initial clearance label is #. All the rules for validating a 
compound process require that the components are validated, apart from the 
rules for output, input and matching. The rules for output and input require a 
preliminary check to decide whether the continuation P needs to be validated 
and this makes the analysis more accurate than the one in [5]. In case of output, 
one has to make sure that the (set of channels associated with the) object is 
bound to some channels and similarly for the subject. In the case of input we 
control that the (set of channels associated with the) subject has some channels 
to read; actually, we ensure that some value can be sent along the subject. The 
last conjunct of the rule for output takes care of the clearance I of the process 
under analysis. The channels that can be bound to the object of an output 
action along channel x must be included in aout{l){x)- Analogously for the case 
of input, where we ensure that (Jin{l){x) and p(/?) contain all the outputs on 
X G p(me(x)), regardless of the clearance level I of the sending process. The 
condition for matching says that P needs to be validated if there is at least one 
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channel to which both x and y can evaluate; note that both can evaluate to 0 
and thus we need to check whether they actually denote the same channel by 
allowing me(x) — me{y). The rule for the process (F)* simply says that the 
channels that can be read and written by it must be included in those read 
or written by its surrounding process, labelled 1. It makes use of the following 
definition. 

Definition 2. The set of proposed solutions ean be partially ordered by setting 
(P,cr) E (p',0-') iff : p{(i) C Vx e C,Vf e £ : (Jin{l){x) E o-k(0(x) 

and^x G G £ : (Toutil){x) E KutQ)ix)- 

It is immediate that this suffices for making the set of proposed solutions into a 
complete lattice; using standard notation we write (p, a) U (p' ,a') for the binary 
least upper bound (defined pointwise), HI for the greatest lower bound of a set 
X of proposed solutions (also defined pointwise), and (±, ±) for the least element 
(where ± maps everything-^ to 0). 

Example 1. Consider the following process 

S =!(F I Q I F) = 

\({ab.db.bcy’^ | (o(x^"’).xar)*® | {a(y^^").y(z^^").([y — z]ya + |/(w^“’))*^), 
where the marker environment me is such that me{fv) — Xfu for all the free 
names fv G {a,b,c}. The pair {p,a) is defined as follows, where the bound 
names are bv G {x, y, z, w} and the level labels are I G {#, Ir, Iq, Ip}: 



piPbv ) 



{x&} if bv^x,y 

■(Xa,X&,Xc} if hv^Z;W 



(Recall that p(x) = {x}) 



0-in{l)iXa) 



0-in{l){Xb) 



0-in{l)iXc) 



( {Xfr} if ^ = # 

<^0 in = Ik 
[ {Xfr} if I = Iq,Ip 

( {Xa,Xb,Xc} it I = if 

H iU = Ir,Iq 

I {Xa,Xb,Xc} if I = If 
0, if I = #, If, Iq, If 



crout{l){Xa) 



croutil)iXb) 



0-ovdfl){:Xc) 



{x&}ifl = #,lH 

0 if I = Iq, Ip 

{Xa,Xb,Xc} it I = if 

{Xc} if I = If 

{X&} if I = Iq 

{Xa} in - Ip 

if I “ if ^l r^Iq ^ l p 



A simple check shows that (p, a) |=me 

3.2 Existence of solution 

So far we have only considered a procedure for validating whether or not a 
proposed solution (p, a) is in fact acceptable. We now show that there always 
exists a least choice of (p, a) that is acceptable in the manner of Tab. 2. 



^ However, note that Xp : B ^ p(C) viewed as Xp : (BUC) ^ p(C) has Xp(ft) = 0 for 
ft £ B but -L^(x) = {x} for X G C (rather than -L^(x) = 0)- 
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Definition 3. A set I of proposed solutions is a Moore family if and only if it 
contains T\J for all J C X (in particular J — $ and J — X). 

This is sometimes called the model intersection property and is fundamental for 
many approaches to program analysis [7]. When X is a Moore family it contains 
a greatest element (n0) as well as a least element (flX). The following theorem 
then guarantees that there always is a least solution to the specification in Tab. 2. 

Theorem 1. The set {(p, a) | (p,cr) F} is a Moore family for all me, I, P. 

Proof By induction on F. 

There is also a constructive procedure for obtaining the least solution; it has a 
low polynomial complexity. Essentially, establishing (p, a) F amounts to 

checking a number of individual constraints. In the full paper we define a function 
^cplme for explicitly extracting these constraints, proceeding by induction on 
the structure of processes. This is not entirely straightforward because of the 
conditional analysis of the continuation process in the case of output, input and 
matching. The resulting constraints can be solved in low polynomial time. 

3.3 Correctness 

We state now some auxiliary results that will allow us to establish semantic 
correctness of our analysis. They are all independent of the semantics and only 
rely on Tab. 2; their proofs are all by induction. 

Lemma 1. Assume that'ix G fn{P) : me\{x) = me-^ix); then (p,cr) |=5„ei ^ V 
and only if (p, a) P- 

Lemma 2. Assume that me{y) = me{z); then (p,cr) \=’me P */ o,nd only if 

ip,^) 

Corollary 1. Assume that z ^ fn{P) and rj £ BuC; then (p,cr) F if 

and only if ip, a) ^{^M- 

Lemma 3. Assume that P = Q; then (p,cr) \='rne P (P^^) l=me Q- 
Lemma 4. Assume that (p,cr) F and me{w) £ pime{z)) C C; then 

Subject reduction. To establish the semantic correctness of our analysis we rely 
on the definition of the early semantics in Tab. 1 as well as on the analysis in 
Tab. 2. The subject reduction result below applies to all the solutions of the 
analysis, and hence in particular to the least. The operational semantics only 
rewrites processes at “top level” where it is natural to demand that all free names 
are bound to channels (rather than binders); this is formalised by the condition 
me\fn(-)] C C that occurs several times. Note that item (3b) corresponds to 
“bound” input, mainly intended to be used to match a corresponding bound 
output in the rule Close of the semantics; therefore the name y read along link 
X must be fresh in F, i.e. y ^ fn(P). 
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Theorem 2. If me[fn,{P)] C C, (p,cr) P and we have: 

(1) If p — T then 

X — e, (p,a) |=J„g Q, and me[fn(Q)] C C 
(2a) If p = xy then 

X — e, (p,(t) |=5„g Q, me\fn(Q)] C C and^/V e LI. me{y) e <To„t(l')(we(aT)) 
(2b) Ifp, — x{y) then 

X^X for some X G C, (p,a) Q, (me[y H- x])[MQ)] ^ C, and 

W ELl.xe aout{V){me{x)) 

(3a) If p = xy, X = e, me(y) £ C and 
me{y) £ 

(p,(t) (=J„g Q, me\Jn{Q)] C C, and Vf £ LI. me(y) £ ainil')ime(x)) 

(3b) Ifp = xy, X = x,X^ \ji>^cio^in{V){me{x))UaoutiV){me{x))) and y ^ fn(P) 
then 

(p,^) ^Leiv^x] '5’ i^'^y ^ x])[HQ)] C C, and 

Vr £ Ll. X £ <Jin{V){m,e{x)) 

Proof. A lengthy proof by induction on the construction of 

and with subcases depending on whether case (1), (2a), (2b), (3a) or ("56^ applies. 
The proof makes use of Lemmata 1, 2, 3 and 4. 

4 Multi-level Security 

System security is typically based on putting objects and subjects into security 
classes and preventing information from flowing from higher levels to lower ones. 
Besides the no- leaks property studied in [5], here we offer another evidence that 
Control Flow Analysis helps in statically detecting useful information on security. 

The literature reports a security property called no read-up/no write-down 
[11,12]. The security requirement is that a process classified at a high level cannot 
write any value to a process of low level, while the converse is allowed. These 
requirements are part of a security model, based on a multi-level access control, 
see [4,10]. The no read-up/no write-down property is commonly studied for a 
set of processes put in parallel (see, e.g. [29]). We follow this view and consider 
in the following only processes of the form (Fo)*®|(Fi)*^ | . . . |(F„)*" , where each 
process Pi has no labelling construct inside. 

A dynamie notion. Now we are ready to introduce the dynamic version of the 
no read-up/no write-down property. 

We assume that the environment is always willing to listen to F, i.e. its 
sub-processes at any level can perform free outputs to the environment. On the 
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contrary, some parts of P are reachable only if the environment supplies some 
information to a sub-process R with a particular clearance. To formalize the 
intentions of the environment, we use a function 

^ (C ^ p(C)) 

that associates a label I and a channel x with the set of channels that the 
environment considers secure to communicate to R. 

Definition 4. Given P,mep,g, a granted step is (P,mep)^^ {Q,meQ), 
and is defined whenever 



1. ^*PffiQ, and 



2. if ^1 = xy, then 



(a) mep{y) E <;{#){mep{x)) if X — e 

(b) A e q{if){m,ep{x)) and y ^ fn{P) if X = x 



, f mep if X — e 

where men = s r r •/ \ ^ -r x 

^ [ m,ep[ob]{ii) x\vX = x 

A granted computation (P,mep) =►* (Q,meQ) is made of granted steps. 

The definition of our version of the no read-up/no write-down property fol- 
lows. Essentially, it requires that in all the communications performed by a 
process, the sender Rg has a clearance level lower than the clearance level of the 
receiver Rp 

Definition 5. A process P is no read-up/no write-down fnru/nwd for short) 
with respect to c, me p if and only if the following holds: 

whenever (P,mep) =1>* {P' ,mepi)^^ {Q ,meq) where the last granted step is 
a communication (between R.o and Ri) that has been deduced with either 

(a) the rule Com, using the premises and fjfRf, or 

(b) the rule Close, using the premises R!^ and Rf, 

then no element of Lg is strictly greater than any element of L, . 

A static notion. We define now a static property that guarantees that a process 
is nru/nwd. Besides finding a solution (p, a) for a process P, we require that the 
channels read along x should include those that the environment is willing to 
supply, expressed by y. The last condition below requires that the same channel 
cannot be used for sending an object from a process with high level I" to a 
process with low level V . 
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Definition 6. Let P, me be sueh that me[fn(P)] C C. Then P is discreet (w.r.t. 
c;,me) if and only if there exists (p, cr) sueh that 

1 - (P>o-) Nie-P 

2. VI e£,xeC: ain{l){x) 2 f(0(x) 

3. W,I” e £, T < I” andVx G C : <Toutil")ix)^<^in{V){x) = 0- 

The property of discreetness can be checked in low polynomial time by build- 
ing on the techniques mentioned in Section 3.2. Below, we show that the property 
of being discreet is preserved under granted steps. 

Lemma 5 (Subject rednction for discreetness). 

If P is disereet with respeet to c, mep, and (F, mep) (Q, tocq), then Q is 
disereet with respeet to c;,meQ. 

Proof. Theorem 2 suffices for proving that m,eQ\fn{Q)] C C and {p,cr) Q. 

The proof of the second and third items is immediate, because the solution 
does not change. The only delicate point for the application of Theorem 2 is 
when the granted step is an input. Consider first, the case in which X — e. 
It suffices to make sure that me{y) G C and that me{y) G ain{ff){m.e(x)). 
Condition 2 of Def. 6 guarantees that <Tj„(#)(me(aT)) 2 y(#)(me(x)). In turn 
me{y) G y(#)(me(ar)) C C because the step is granted. The case when A = x is 
just the same, while in the other cases the proof is trivial. 

The following lemma further illustrates the links between the transitions of 
processes and the results of our static analysis. It will be used in proving that 
discreetness is sufficient to guarantee that F enjoys the nru/nwd property. 

Lemma 6. If 2'P-^Q has been dedueed with premise M and 

(p, a) F, then there exists me' sueh that (p, a) |=(„p F. 

Proof The proof is by induction on the derivation of the transition. 

Theorem 3. 

If P is disereet (w.r.t. <;,me), then P is nru/nwd (w.r.t. <;,me). 

Proof By Lemma 5 it is enough to check that, if (F, mep)=^ (Q,meQ), then 

Q is nru/nwd, with r being a communication between Rg and Fp defined as in 
Def. 5. Assume, per absurdum, that an element Ig G Lg is strictly greater than 
an element element h G Fj. By Lemma 6, (p,cr) \=/g F^ and (p,cr) \=/g Fp 
Consider first the case (o) of Def. 5. The analysis and Theorem 2 tell us that 
VI' G Lg. me{y) G (igut{l'){mie{x)) and VI' e Lp me(y) G ainil'){me(x)). But 
this contradicts item 3 of Def. 6, because, in particular, me(y) £ (To„t(fo)(me(aT)) 
as well as me{y) G <Tj„(fj)(me(x)). 

As for case {h) of Def. 5, just replace x for me(y) and proceed as in case (o). 
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Example 2. Consider again the process S validated in Example 1: 

!((a6.a6.6c)*« | | (o(|/^*').|/(z^*).([|/ = z]ya + 

and suppose that Ir < Iq < Ip- Then it is easy to prove that the process is 
discreet. In particular the following five conditions hold. 

^ o-outih)(xfv) n (Tin{iR){xfv) = ^outXh)(xfv) n 0 = 0 ; 

^ croutilp){Xfv) <^in{lR){Xfv) = <^out{lp)iXfv) C 0 = 0; 

^ Croutilp){Xa)^Crin{lQ){Xa) = 0 C {Xfr} = 0- 

^ 0-outXlp)iXb) n (Jin{lQ){Xh) = {Xa} C 0 = 0. 

^ o-out{ip)ixc) n a-in{lQ)ixc) = 0 n 0 = 0. 

Note that the clearance levels of processes introduced here are orthogonal to 
the security levels of channels as defined in [5]. There channels are partitioned 
into secret and public and a static check is made that secret channels never 
pass along a public one. Therefore channels have always the same level. On the 
contrary, here it is possible that a channel a can be sent along b by one process but 
not by another. Discreetness cannot be checked with the analysis of [5] , because 
in that analysis a can be either sent on b always or never. The combination of 
the two analyses may permit a static check of even more demanding properties. 

5 Conclusions 

There is a vast literature on the topics of our paper. Here we only mention very 
briefly some papers related to security issues. 

The first studies in system security reach back to the 1970’s and were mainly 
carried out in the area of operating systems; see the detailed survey by Landwehr 
[17] and Denning’s book [10] reporting on the static detection of secure flow 
violation while analysing the code. 

Recently, security classes have been formalized as types and the control of 
flow is based on type checking. Heintze and Riecke [15] study a non-interference 
property on the SLam Calculus (Secure A-calculus). Volpano, Smith and Irvine 
develop a type system to ensure secure information flow in a sequential imper- 
ative language in [30], later extended by the first two authors in a concurrent, 
shared memory based setting [29]. Abadi studies in [1] the secrecy of channels 
and of encrypted messages, using the spi-calculus, an extension of the 7r-calculus 
devised for writing secure protocols. Venet [27, 28] uses Abstract Interpretation 
techniques to analyse processes in a fragment of the 7r-calculus, with particular 
attention to the usage of channels. 

Other papers interesting for this area are [24,26,13,8,3,9,25,16]. Particu- 
larly relevant are Hennessy and Riely’s papers [25, 16] who give a type system for 
Dtt, a variant of the 7r-calculus with explicit sites that harbour mobile processes. 
Cardelli and Gordon [6] propose a type system for the Mobile Ambient calculus 
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ensuring that a well-typed mobile computation cannot cause certain kinds of 
run-time faults, even when capabilities can be exchanged between processes. 

The idea of static analysis for security has been followed also in the Java 
world, for example in the Java Bytecode Verifier [18], and in the techniques of 
proof-carrying code [23]. Also Abadi faces in [2] the problem of implementing 
secure systems and proposes to use full abstraction to check that the compile 
code enjoys the same security properties as the source program. 

A different approach consists in dynamically checking properties. This point 
of view has been adopted by a certain number of information flow models [14, 
19, 20, 11, 12] (to cite only a few), mainly concerned with checking (variants of) 
the security property we studied here. All these papers, consider the external 
observable behaviour only as the object of the analysis. 

Here, we presented a Control Flow Analysis for the 7r-calculus that stati- 
cally predicts how names will be bound to actual channels at run-time. The 
only extensions made to the syntax of processes are that a channel x is ex- 
plicitly assigned to a restricted name, and that an input action has the form 
x(y^), making explicit the role of the placeholder y, this change was motivated 
by the inclusion of a-conversion in the semantics. Our intention was to apply 
our analysis for detecting violations of a security property that needs security 
levels, so processes may carry labels expressing their clearance. The result of our 
analysis for a process F is a solution (p, tx). The abstract environment p gives 
information about which channels a binder (i may be bound to, by means of 
communication. The abstract communication environment a gives information 
about the channels sent and received by a process with clearance 1. All the so- 
lution components approximate the actual solution, because they may give a 
super-set of the corresponding actual values. 

We defined judgements of the form (p, a) P and a set of clauses that 
operate on them so as to validate the correctness of the solution. The additional 
marker environment me binds the free names of P to actual channels. The label 
I records the security level of F. We proved that a best solution always exists. In 
the full paper we shall give a constructive procedure for generating solutions that 
essentially generates a set of constraints corresponding to the checks necessary 
to validate solutions. These constraints can be solved in low polynomial time. 

We used our analysis to establish the no read-up/no write-down security 
property of Bell and LaPadula. This property requires that a process with 
high clearance level never sends channels to processes with a low clearance. 
We defined a static check on solutions and proved that it implies the no read- 
up/no write-down property. Also, the check that a process F is discreet with 
respect to given <;,me has a polynomial time complexity. A web-based system 
that validates the solutions and checks discreetness can be found at the URL: 
http : / / ¥¥¥ . daimi . au . dk . / ~rrh/ discreet . html. 

We have not considered here the more general notion of the no read-up/no 
write-down property, that assigns levels of confidentiality also to the exchanged 
data (i.e. the objects of input and output actions). Processes with low level 
clearance are then not allowed to access (i.e. they can neither send nor receive) 
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highly classified data. The reason is that the dynamic version of this property 
is surprisingly more intricate than its static version. The latter, that entails the 
former, only requires an additional check on the second component of a solution 
(i.e., Vx G <Tjn(0(xO the confidentiality level of X) possibly read along channel 
X', should be smaller than the security level of the process under check, namely 
1] similarly for agut)- 

Other properties that deserve further investigation are connected with the so- 
called “indirect fiow” of information, i.e. on the possibility of a low level process 
to detect the value of some confidential datum by “observing” the behaviour of 
higher level processes. 
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Abstract. A sound and complete Hoare-style proof system is presented 
for a sequential object-oriented language, called SPOOL. The proof sys- 
tem is based on a weakest precondition calculus for aliasing and object- 
creation. 



1 Introduction 

This paper introduces a Hoare-style proof system for an object-oriented lan- 
guage, called SPOOL. SPOOL is a sequential version of the parallel object- 
oriented language POOL [2]. 

The main aspect of SPOOL that is dealt with is the problem of how to rea- 
son about pointer structures. In SPOOL, objects can be created at arbitrary 
points in a program, references to them can be stored in variables and passed 
around as parameters in messages. This implies that complicated and dynam- 
ically evolving structures of references between objects can occur. We want to 
reason about these structures on an abstraction level that is at least as high as 
that of the programming language. In more detail, this means the following: The 
only operations on “pointers” (references to objects) are testing for equality and 
dereferencing (looking at the value of an instance variable of the referenced ob- 
ject). Furthermore, in a given state of the system, it is only possible to mention 
the objects that exist in that state. Objects that do not (yet) exist never play a 
role. 

Strictly speaking, direct dereferencing is not even allowed in the programming 
language, because each object only has access to its own instance variables. 
However, for the time being we allow it in the assertion language. Otherwise, even 
more advanced techniques would be necessary to reason about the correctness 
of a program. 

The above restrictions have quite severe consequences for the proof system. 
The limited set of operations on pointers implies that hrst-order logic is too 
weak to express some interesting properties of pointer structures (for example, 
the property, as considered in [9], that it is possible to go from one object to 
the other by following a hnite number of *-links) . Therefore we have to extend 
our assertion language to make it more expressive. In this paper we do so by 
allowing the assertion language to reason about hnite sequences of objects. 

The proof system itself is based on a weakest precondition calculus for aliasing 
and object-creation. This means that in the proof system aliasing and object- 
creation are modelled by substitutions which, when applied to a given postcon- 
dition, yield the corresponding weakest precondition. 

W. Thomas (Ed.): FOSSACS’99, LNCS 1578, pp. 135-149, 1999. 

@ Springer-Verlag Berlin Heidelberg 1999 




136 



F.S de Boer 



Plan of the paper In the following section we introduce the programming lan- 
guage SPOOL. In section 3 the assertion language for describing object struc- 
tures is introduced. The proof system is discussed in section 4. In the hnal section 
related work is discussed and some general conclusions are drawn. 

2 The language SPOOL 

The most important concept of SPOOL is the concept of an object. This is 
an entity containing data and procedures [methods) acting on these data. The 
data are stored in variables, which come in two kinds: instance variables, whose 
lifetime is the same as that of the object they belong to, and temporary variables, 
which are local to a method and last as long as the method is active. Variables 
can contain references to other objects in the system (or even the object under 
consideration itself). The object a variable refers to (its value) can be changed 
by an assignment. The value of a variable can also be nil, which means that it 
refers to no object at all. 

The variables of an object cannot be accessed directly by other objects. The 
only way for objects to interact is by sending messages to each other. If an 
object sends a message, it specihes the receiver, a method name, and possibly 
some parameter objects. Then control is transferred from the sender object to 
the receiver. This receiver then executes the specihed method, using the param- 
eters in the message. Note that this method can, of course, access the instance 
variables of the receiver. The method returns a result, an object, which is sent 
back to the sender. Then control is transferred back to the sender which resumes 
its activities, possibly using this result object. 

The sender of a message is blocked until the result comes back, that is, it 
cannot answer any message while it still has an outstanding message of its own. 
Therefore, when an object sends a message to itself (directly or indirectly) this 
will lead to abnormal termination of the program. 

Objects are grouped into classes. Objects in one class (the in, stances of the 
class) share the same methods, so in a certain sense they share the same be- 
haviour. New instances of a given class can be created at any time. There are 
two standard classes, Int and Bool, of integers and booleans, respectively. They 
differ from the other classes in that their instances already exist at the beginning 
of the execution of the program and no new ones can be created. Moreover, some 
standard operations on these classes are dehned. 

A program essentially consists of a number of class dehnitions, together with 
a statement to be executed by an instance of a specihc class. Usually, but not 
necessarily, this instance is the only non-standard object that exists at the be- 
ginning of the program: the others still have to be created. 

In order to describe the language SPOOL, which is strongly typed, we use 
typed versions of all variables, expressions, etc. These types however are implic- 
itly assumed in the language description below. 

We assume the following sets to be given: A set C of class names, with typical 
element c (this means that metavariables like c,c' ,ci, . . . range over elements of 
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the set C). We assume that Int, Bool ^ C and dehne the set = CU{lnt, Bool}, 
with typical element d. For each c G C, d G C"*" we assume a set IVar'^^, with 
typical element x, of instance variables in class c which are of type d. For each 
d G C we assume a set TVar^ of temporary variables of type d, with typical 
element u. Finally, for each c ^ C and do, . . . ,d„ £ {n > 0) we assume a 
set MName'^^ of method names of class c with result type dg and parameter 
types di, ... ,d„. The set MName'^^^ will have m as a typical element. 

Now we can specify the syntax of our (strongly typed) language (we omit 
the typing information). 

Definition!. For any c £ C and d £ C"*" the set Exp'^^ of expressions of type d 
in class c, with typical element e, is defined as usual. We give the following base 
cases. 

e ::= » I u I nil | self • • • 

The set SExp’^^ of expressions with possible side effect of type d in class c, with 
typical element s, is defined as follows: 

s ::= e I new I eg !m(ei , ... ,Cn) 

The first kind of side effect expression is a normal expression, which has no actual 
side effect, of course. The second kind is the creation of a new object. This new 
object will also be the value of the side effect expression. The third kind of side 
effect expression specifies that a message is to be sent to the object that results 
from eg, with method name m and with arguments (the objects resulting from) 

7 • • • Tn • 

The set StaE of .statements in class c, with typical element S , are constructed 
from assignments by means of the standard sequential operations of sequential 
composition, (deterministic) choice and iteration. 

Definition 2. The set MethDef^ of method definitions in class c, with typical 
element p, is defined by: 

p ::= {ui, . . . ,u„ : S f e) 

Flere we require that the Mj are all different and that none of them occurs at the 
left hand side of an assignment in S' £ StaE (and that n > 0). 

When an object is sent a message, the method named in the message is 
invoked as follows: The variables ui, . . . , u„ (the parameters of the method) are 
given the values specified in the message, all other temporary variables (i.e. the 
local variables of the method, are initialized to nil, and then the statement S is 
executed. After that the expression e is evaluated and its value, the result of the 
method, is sent back to the sender of the message, where it will be the value of 
the send-expression that sent the message. 

Definition 3. The set ClassDef^ of definitions of class c, with typical element D, 
is defined by: 

D ::= c: (mi - pi,. .., rrin - pn) 

where we require that all the method names are different (and u > 0). 
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Definition4. Finally, the set Prog‘s of programs in class c, with typical ele- 
ment p, is dehned by: 

p::= {U\c:S) 

where U denotes a hnite set of class dehnitions and S G StaP . The interpretation 
of such a program is that the statement S is executed by some object of class c 
(the root object) in the context of the declarations contained in the unit U . 
In many cases (including the following example) we shall assume that at the 
beginning of the execution this root object is the only existing non-standard 
object. 

Example 1. The following program generates prime numbers using the sieve 
method of Eratosthenes. 

(Sieve : (input (q) : if next = nil 

then next := new; 
p := q 

else if q mod p 7^ 0 

then next I input(q) 

fi 

fi 

tself ), 

Driver : ( ) 

Driver : i := 2 ; 

first := new ; 
while i < bound 
do first I input(i); 

i := i +1 
od 



Figure 1 represents the system in a certain stage of the execution of the 
program. 

3 The assertion language 

In this section a formalism is introduced for expressing certain properties of a 
complete system, or conhguration, of objects. Such a system consists for each 
class of a set of existing objects in that class (i.e. the objects in that class which 
have been created sofar) together with their internal states (i.e. an assignment of 
values to their own instance variables), and the currently active object together 
with an assignment of values to its temporary variables. 

One element of this assertion language will be the introduction of logical 
variables. These variables may not occur in the program, but only in the assertion 
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Fig. 1. Objects in the sieve program in a certain stage of the execntion 



language. Therefore we are always sure that the value of a logical variable can 
never be changed by a statement. Apart from a certain degree of cleanliness, 
this has the additional advantage that we can use logical variables to express 
the constancy of certain expressions (for example in the proof rule for message 
passing). Logical variables also serve as bound variables for quantifiers. 

The set of expressions in the assertion language is larger than the set of pro- 
gramming language expressions not only because it contains logical variables, 
but also because by means of a dereferencing operator it is allowed to refer to 
instance variables of other objects. Furthermore we include conditional expres- 
sions in the assertion language. These conditional expressions will be used for 
the analysis of the phenomenon of aliasing which arises because of the presence 
of a dereferencing operator. 

In two respects our assertion language differs from the usual hrst-order pred- 
icate logic: Firstly, the range of quantifiers is limited to the existing objects in 
the current state of the system. For the classes different from Int and Bool this 
restriction means that we cannot talk about objects that have not yet been 
created, even if they could be created in the future. This is done in order to 
satisfy the requirements on the proof system stated in the introduction. Because 
of this the range of the quantihers can be different for different states. More in 
particular, a statement can change the truth of an assertion even if none of the 
program variables accessed by the statement occurs in the assertion, simply by 
creating an object and thereby changing the range of a quantiher. (The idea of 
restricting the range of quantifiers was inspired by [11].) 

Secondly, in order to strengthen the expressiveness of the logic, it is aug- 
mented with quantihcation over hnite sequences of objects. It is quite clear that 
this is necessary, because simple hrst-order logic is not able to express certain 
interesting properties. 

Definitions. For each d £ C"*“ we introduce the symbol d* for the type of all 
hnite sequences with elements from d, we let C* stand for the set {d*\d £ C'*'}, 
and we use C\ with typical element a, for the union U C* . We assume that 
for every a in Cl we have a set LVar^ of logical variables of type a, with typical 
element z. 
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DefinitionG. We give the following typical elements of the set LExp'^^ of logical 
expressions of type a in class c (we omit the typing information): 

I ::= e I z I /.* I if /o then li else I2 fi 

An expression e is evaluated in the internal state of the currently active object 
which is denoted by self. The difference with the set Exp'^^ of expressions in the 
programming language is that in logical expressions we can use logical variables, 
refer to the instance variables of other objects (the expression l.x refers to the 
local value of the instance variable x of the object denoted by /) , and write condi- 
tional expressions. Furthermore, we extended the domain of discourse by means 
of logical variables ranging over sequences. In order to reason about sequences 
we assume the presence of notations to express, for example, the length of a 
sequence (denoted by |/|) and the selection of an element of a sequence (denoted 
by l{n), where n is an integer expression). 

Definition 7. The set Ass® of assertions in class c, with typical elements P 
and Q, is defined by: 

F ::= / I FAQ I -.F| 3zP 

Here / denotes a boolean expression (i.e. I G Exp^^^^). 

As already explained above, a formula 3zP, with z of some type c ^ C states 
that F holds for some existing object in class c. A formula 3zF, with z of a 
sequence type c* , states the existence of a sequence of existing objects in class 

c. 

Example 2. The formula 3z true, where z is of some type c E C, thus states the 
existence of an object in class c. As such this formula is false in case no such 
objects exist. As another example, the following formula states the existence of 
a sequence of objects in class Sieve (of the example program in the previous 
section) such that the value of p of the nth element in this sequence is the nth 
prime number and next refers to the next element, i.e. the n 3- 1th element, in 
the sequence. 

( (0 < n A n < |z| ^ z(n).p = prime[n)) 

A 

(0 < n A n < |z| ^ z(n). next = z(n 3- 1)) 

Here n denotes a logical variable ranging over integers and z ranges over se- 
quences of objects in class Sieve. The predicate prime{n) holds if n is a prime. 

Definitions. A correctness formula in class c is a Hoare triple of the form 
{P}p{Q}, where P,Q ^ Ass® and p £ Prog‘s. 

A Hoare-triple {P}p{Q} expresses a partial correctness property of the pro- 
gram p: It holds if every successfully terminating execution of the program p in 
a system of objects which satisfies the precondition F results in a final configu- 
ration which satisfies the postcondition Q. 
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4 The proof system 

In this section we present a Hoare-style proof system which provides a view of 
programs in SPOOL as predicate- transformers. 

Simple assignments We shall call a statement a simple assignment if it is of 
the form x := e oi u := e (that is, it uses the hrst form of a side effect expression: 
the one without a side effect). For the axiomatization of simple assignments to 
temporary variables the standard assignment axiom suffices because objects are 
only allowed to refer to the instance variables of other objects and therefore 
aliasing, i.e. the situation that different expressions refer to the same variable, 
does not arise in case of temporary variables. 

In the case that the target variable of an assignment statement is an instance 
variable, we use the following axiom: 

|p[e/*]| {U\c : X := e) 

The substitution operation [e/*] has to account for possible aliases of the 
variables x, namely, expressions of the form Lx: It is possible that, after substi- 
tution, / refers to the currently active object (i.e. the object denoted by self), 
so that Lx is the same variable as x and should be substituted by e. It is al- 
so possible that, after substitution, / does not refer to the currently executing 
object, and in this case no substitution should take place. Since we cannot de- 
cide between these possibilities by the form of the expression only, a conditional 
expression is constructed which decides “dynamically” . 

Definition 9. We have the following main cases of the substitution operation 
[e/x]: 

I . X [ej x] = if (/[e/*]) = self then e else (/[e/*]) . x fi 
I .x' [ej x]= [l[el x]) .x' \i x' x 

The dehnition is extended to assertions other than logical expressions in the 
standard way. 

Object creation Next we consider the creation of objects. We will introduce 
two different axiomatizations of object-creation which are based on the logical 
formulation of the weakest precondition and the strongest postcondition, respec- 
tively. First we consider a weakest precondition axiomatization. 

For an assignment of the form u := new we have a axiom similar to the 
previous two: 

|p[new/M]j- {U\c : u := new) 

We have to dehne the substitution [new/«]. As with the notions of substi- 
tution used in the axioms for simple assignments, we want the expression after 
substitution to have the same meaning in a state before the assignment as the 
unsubstituted expression has in the state after the assignment. However, in the 
case of a new-assignment, there are expressions for which this is not possible. 
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because they refer to the new object (in the new state) and there is no expression 
that could refer to that object in the old state, because it does not exist yet. 
Therefore the result of the substitution must be left undehned in some cases. 

However we are able to carry out the substitution in case of assertions, assum- 
ing, without loss of expressiveness, that in the assertion language the operations 
on sequences are limited to |/|, i.e. the length of the sequence /, and l{n), i.e. 
the operation which yields the nth element of /. The idea behind this is that 
in an assertion the variable u referring to the new object can essentially occur 
only in a context where either one of its instance variables is referenced, or it 
is compared for equality with another expression. In both of these cases we can 
predict the outcome without having to refer to the new object. 

Definition 10. Here are the main cases of the formal definition of the substi- 
tution [new/u] for logical expressions. As already explained above the result of 
the substitution [new/n] is undehned for the expression u. Since the (instance) 
variables of a newly created object are initialized to nil we have 

u.*[new/M] = nil 

If neither li nor I 2 is m or a conditional expression they cannot refer to the newly 
created object and we have 

(^li — l2^[new/u] = ^/i[new/M]^ = ^/2[new/«]^ 

If either /i is u and I 2 is neither u nor a conditional expression (or vice versa) 
we have that after the substitution operation li and I2 cannot denote the same 
object (because one of them refers to the newly created object while the other 
one refers to an already existing object): 

— / 2 ^ [new/u] = false 

On the other hand if both the expressions Ii and I2 equal u we obviously have 

= / 2 ^[new/«] = true 

We have that /[new/u] is dehned for boolean expressions /. 

Definitionll. We extend the substitution operation [new/u] to assertions other 
than logical expressions as follows (we assume that the type of u is d G C): 

{P Q)[ne\N/u] = (P[new/M]) (Q[new/M]) 

i~'P) [new/u] = -i(P[new/u]) 

(3z P) [new/u] = (3z(F[new/M])) V {P[u/ z][r\ew/u]) 

{3z P) [new/u] = 3z 3z' {\z\ — \z'\ /\ {P[z' , M/z][new/u])) 

{3z P) [new/u] = (3z(F[new/M])) 

In the third and fourth clause the (bound) variable z is assumed to be of type 
d and d* , respectively. The type of the variable z in the last clause is of a type 
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different from d and d* . The (bound) variable z' in the fourth clause is assumed 
to be of type boolean (this variable is also assumed not to occur in P). 

The idea of the application of [new/u] to (3z P) (in case z is of the same type 
as u) is that the hrst disjunct (3z(P[new/M])) represents the case that the object 
for which P holds is an ‘old’ object (i.e. which exists already before the creation 
of the new object) whereas the second disjunct P[u / z][nQM\i / u] represents the 
case that the new object itself satishes P. 

The idea of the fourth clause is that z and z' together code a sequence of 
objects in the state after the new-statement. At the places where z' yields true 
the value of the coded sequence is the newly created object. Where z' yields false 
the value of the coded sequence is the same as the value of z. This encoding is 
described by the substitution operation [z', u/z] the main characteristic cases of 
which are: 

z[z',m/z] is undehned 

^z(/)^ [z'j u/z] = if z'(l') then u else z(l') fi, where I' = l[z' , u/z] 

This substitution operation [z',m/z] is dehned for boolean expressions. 

Example 3 . Let z be a logical variable of the same type as u. We have 

^3z(u = z)^ [new/«] = 

^3z(u = z)[new/«]^ V (u = M)[new/t/] = 

3z false V true 

where the last assertion obviously reduces to true, which indeed is the weakest 
precondition of 3z(m = z) with respect to u := new. 

Note that we cannot apply the substitution operation [new/«] directly to 
assertions involving more high-level operations on sequences. For example, an 
assertion like l\ < I2, which expresses that the sequence li is a prehx of I2, 
we have first to reformulate into a logically equivalent one which uses only the 
sequence operations |/| and l[n). Thus, li < I2 should be hrst translated into 

Vn (0 < n An < |/i| ^ /i(u) = h{n)) 

If our assignment is of the form x := new we have the following axiom: 

|p[new/»] j- (U\c : x := new) j" 

The substitution operation [new/*] is dehned by: P[u/x] [new/«], where u is a 
temporary variable that does not occur in P. (It is easy to see that this dehnition 
does not depend on the actual u used.) 

Thus we see that we are able to compute the weakest precondition of a new- 
statement despite the fact that we cannot refer to the newly created object in 
the state prior to its creation. Alternatively, we have the following strongest 
postcondition axiomatization of object-creation. Let u be a temporary variable 
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of type c, and the logical variables z and z' be of type c* and c, respectively. 
Moreover, let K be a finite set of instance variables in class c. For an assignment 
of the form u := new we have the following axiom. 

{U\c ■. u := new) |Bz (^P' z A Q{V, z)^ | 
where P' = 3z'(P[z'/m]) and Q{V, z) denotes the following assertion 
u ^ z t\ 'iz' (z' G z V z' = u) A j\^ u.x — nil 

The operation z applied to an assertion R restricts all quantihcations in R 
to z. It is described in more detail below. Let us hrst explain the role of the 
logical variables z and z' (which are assumed not to occur in P). The logical 
variable z in the postcondition is intended to the store all the objects in class 
c which exist in the state prior to the creation of the new object. The logical 
variable z' is intended to represent the old value of u. Given that z' denotes 
the old value of u, that P holds for the old value of u then can be expressed in 
the postcondition simply by P[z’/u]. However the quantihcation 3z' [P[z' / u\) in 
the postcondition will also include the newly created object. In general we thus 
have to take into account the changing scope of the quantihers. For example, 
consider P — Vz". false (with z" of type c). Obviously P, which states that there 
do not exist objects in class c, does not hold anymore after the creation of a 
new object in class c. Our solution to this problem is to restrict the scope of all 
quantifications involving objects in class c to the old objects in class c, which are 
given by z. This restriction operation is denoted by j, z. Its main characteristic 
dehning clauses are the following two: 

(3z"if) ; z = 3z"(z" e z A if; z) 

(3z"if) ; z = 3z"(z" C z A if; z) 

where in the first clause z" is of type c while in the second clause z" is of type 
c* (for convenience we assume the presence of the relation ‘is an element of the 
sequence’, denoted by G, and the containment-relation C, which holds whenever 
all the elements of its hrst argument occur in its second argument). Finally, the 
assertion Q{V, z) in the postcondition of axiom above expresses that u denotes 
the newly created object and specihes the initial values of the variables in V (of 
the newly created object). 

For new-statements involving instance variables we have a similar axiom char- 
acterizing its strongest postcondition semantics. 

It is of interest to observe here that the strongest postcondition axiomatiza- 
tion does not require a restricted repetoire of primitive sequence operations. 

Method calls Next we present proof rules for verifying the third kind of assign- 
ments: the ones where a message is sent and the result stored in the variable on 
the left hand side. We present here a rule for non-recursive methods (recursion 
is handled by a straightforward adaptation of the classical recursion rule, see for 
example [3]). 
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For the statement x := e^lmiei , . . . , e„), we have the following proof rule (for 
the statement u := eo!m(ei, . . .,e„) we have a similar rule): 

{-P Ai"=i ^ ^c' |(t^|c' : 5')|Q[e/r]|, Q'[f /z] R[r/x] 

{f^[//z]}((7|c : X := eo!m(ei, . . . , 

/ / 

where 5 £ Staf' and e £ E^Pdo ^^e the statement and expression occurring in 
the definition of the method m in the unit U , ui, ... ,u„ are its formal parame- 
ters, vi, . . . , Vk is a row of temporary variables that are not formal parameters 
(A; > 0), r is a logical variable of type of the result of the method m (it is as- 
sumed that r does not occur in if), / is an arbitrary row of expressions {not 
logical expressions) in class c, and z is a row of logical variables, mutually dif- 
ferent and different from r, such that the type of each Zi is the same as the type 
of the corresponding fi. Furthermore, we assume given for each d £ C, a logi- 
cal variable Sd of type d*. These variables will store the objects in class d that 
are blocked (as will be explained below). Finally, P' and Q' denote the result 
of applying to P and Q a simultaneous substitution having the “components” 
[eg/self], [5g • self/5g], [ei/u{\, . . . , [e„/u„] (a formal dehnition will follow). We re- 
quire that no temporary variables other than the formal parameters u\, . . . ,Un 
occur in P or Q. 

Before explaining the above rule let us Rrst summerize the execution of a 
method call: First, control is transferred from the sender of the message to the 
receiver (context switching). The formal parameters of the receiver are initialized 
with the values of the expressions that form the actual parameters of the message 
and the other temporary variables are initialized to nil. Then the body S of the 
method is executed. After that the result expression e is evaluated, control is 
returned to the sender, the temporary variables are restored, and the result 
object is assigned to the variable x. 

The first thing, the context switching, is represented by the substitutions 
[eg/self], [5c • self/5c] (the append operation is denoted by •), and [e/u\ (where 
e = ei , . . . , e„ and u = ui, . . . , u„) . 

The transfer of control itself corresponds with a ‘virtual’ statement self : = 
eg. Thus we see that if F[eg/self] holds from the viewpoint of the sender then 
P holds from the viewpoint of the receiver after the transfer of control (i.e. 
after self := eg). Or, in other words, an assertion P as seen from the receiver’s 
viewpoint is equivalent to P[eg/self] from the viewpoint of the sender. 

Definition 12. We have the following main cases of the substitution operation 
[e/self]: *[e/self] = e . x and self[e/self] = e. 

Note that this substitution changes the class of the assertion: F[eg/self] £ 
Ass’^ whereas P £ Ass’^ . 

The (standard) substitution [5c • self/5c] models the other aspect of the con- 
text switch, namely that the sender of the message is blocked when the receiver 
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is active. This aspect of the control switch thus corresponds with a virtual state- 
ment 5c := 5c ■ self. Moreover, the implicit check that the receiver itself is not 
blocked is expressed by the additional information self ^ 5cj in the precondition 
of the receiver (below is given an example of how this information can be used). 

Now the passing of the parameters is simply represented by the simultaneous 
substitution [e/w]. (Note that we really need simultaneous substitution here, be- 
cause Ui might occur in an Cj with j < i, but it should not be substituted again.) 
In reasoning about the body of the method we may also use the information that 
temporary variables that are not parameters are initialized to nil. 

The second thing to note is the way the result is passed back. Here the logical 
variable r plays an important role. This is best understood by imagining after 
the body S of the method the statement r := e (which is syntactically illegal, 
however, because r is a logical variable). In the sending object one could imagine 
the (equally illegal) statement x := r. Now if the body S terminates in a state 
where Q[e/r\ holds (a premiss of the rule) then after this “virtual” statement r := 
e we would have a situation in which Q holds. Otherwise stated, the assertion Q 
describes the situation after executing the method body, in which the result is 
represented by the logical variable r, everything seen from the viewpoint of the 
receiver. Now if we context-switch this Q to the sender’s side, and if it implies 
R[r /x\, then we know that after assigning the result to the variable x (our second 
imaginary assignment x := r), the assertion R will hold. 

Now we come to the role of / and z. We know that during the evaluation 
of the method the sending object becomes blocked, that is, it cannot answer 
any incoming messages. Therefore its instance variables will not change in the 
meantime. The temporary variables will be restored after the method is executed, 
so these will also be unchanged and hnally the symbol self will retain its meaning 
over the call. All the expressions in class c (and in particular the fi) are built 
from these expressions plus some inherently constant expressions and therefore 
their value will not change during the call. However, the method can change the 
variables of other objects and new objects can be created, so that the properties 
of these unchanged expressions can change. In order to be able to make use 
of the fact that the expressions / are constant during the call, the rule offers 
the possibility to replace them temporarily by the logical variables z, which 
are automatically constant. So, in reasoning from the receiver’s viewpoint (in 
the rule this applies to the assertions P and Q) the value of the expression fi is 
represented by zp and in context switching fi comes in again by the substitution 
[//z]. Note that the constancy of / is guaranteed up to the point where the result 
of the method is assigned to x, and that x may occur in fi, so that it is possible 
to make use of the fact that x remains unchanged right up to the assignment of 
the result. 

Example f. Let us illustrate the use of the above rule by a small example. 
Consider the unit U = c : (in 4= («o) : := t * 2 ) and the program 

p — ifj\c : xi := Mi!m(* 2 ))- We want to show 

. Xi — Xi f\ -lUi = self . Xi — X 2 f\ Xi — Ui . X 2 ^- 
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before 



after 



Fig. 2. The situation before and after sending the message (example 4) 



So let us apply the rule (MI) with the following choices: 



P = x\ — z\ K -iself = Z2 

Q = x\ — t\r — X’l t\ -iself = Z’l 

R = U\ . X\ — X2 !\ X\ — U\ . X2 

k = 0 (we shall use no v^) 

fi = xi (represented by zi in P and Q) 

f2 = self (represented by Z2 in P and Q) 



First notice that P[ui, *2/self, Mo][*i,self/zi, Z 2 ] = ui . *1 = *1 A ~iui — self 
so that the result of the rule is precisely what we want. 

For the hrst premiss we have to prove 



^^xi = zi A -iself = Z2 



c : xi := uo 



Xi = Uq A. X2 = X2 A. 



iself = Z2 






This is easily done with the appropriate assignment axiom and the rule of con- 
sequence. 

With respect to the second premiss, we have 

Q[mi, *2/self, Mo][®i,self/zi, Z2] = . *1 = *2 A r = mi . *2 A -lUi = self 

R[r / x\\ = if ui = self then r else mi . *1 fi = *2 A r = mi . »2 



It is quite clear that the hrst implies the second, and we can use this implication 
as an axiom. 



In the above example we did not need to use the information represented 
by the logical variables 5^. The following example illustrates the use of these 
variables in reasoning about deadlock. 

Example 5. Consider the program p = (U \ c : x := selfim), where m is dehned 
in U without parameters. Since this program obviously deadlocks (in general we 
will have to deal with longer cycles in the calling chain) we have the validity of 
|truej-p|falsej-. This can be proved simply by observing that true is equivalent 
to self G 5c • self and that the latter assertion can be obtained by applying the 
substitution [5^ -self/^c] to the assertion self G 5c. But this latter assertion, which 
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by the above we can use as the part P of the precondition of the receiver in the 
rule (MI), obviously contradicts the additional assumption that self ^ 5^- Thus 
the entire precondition of the receiver reduces to false from which we can derive 
false as the postcondition of the body of the method m. From which in turn we 
can derive easily by rule (MI) the correctness formula above. 

5 Conclusions 

In this paper we have given a proof system for a sequential object-oriented 
programming language, called SPOOL, that fulhlls the requirements we have 
listed in the introduction. 

In [6] detailed proofs are given of both soundness (i.e. every derivable cor- 
rectness formula is valid) and (relative) completeness (every valid correctness 
formula is derivable, assuming, as additional axioms, all the valid assertions). 
These proofs are considerable elaborations of the corresponding proofs of the 
soundness and completeness of a simple sequential programming language with 
recursive procedures (as described in, for example, [3] and [5]). 

Related work To the best of our knowledge the proof system presented is the 
hrst sound and complete proof system for a sequential object-oriented language. 
In [1] and [10] different Hoare-style proof systems for sequential object-oriented 
languages are given which are based on the global store model as it has been 
developed for the semantics of Algol-like languages. This model however intro- 
duces a difference between the abstraction level of the assertion language and 
that of the programming language itself. Moerover, as observed in [1], the global 
store model gives rise to incompleteness. 

Future research The proof rule for message passing, incorporating the passing 
of parameters and result, context switching, and the constancy of the variables of 
the sending object, is rather complex. It seems to work hne for our proof system, 
but its properties have not yet been studied extensively enough. It would be 
interesting to see whether the several things that are handled in one rule could 
be dealt with by a number of different, simpler rules. 

We have considered in this paper only partial correctness. But we are cur- 
rently working on extensions which allow one to prove absence of deadlock and 
termination. 

In the present proof system the protection properties of objects are not re- 
flected very well. While in the programming language it is not possible for one 
object to access the internal details (variables) of another one, in the assertion 
language this is allowed. In order to improve this it might be necessary to devel- 
op a system in which an object presents some abstract view of its behaviour to 
the outside world. Such an abstract view of an object we expect to consist of a 
specification of the interface of an object as it is used in [4, 6, 7, 8] for reasoning 
about systems composed of objects which execute in parallel. 

Related to the above is the problem of a formal justification of the appro- 
priateness of the abstraction level of a formalism for describing properties of 
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dynamically evolving object structures. We expect that such a formal justih- 
cation involves a fully abstract semantics of the notion of on object. A related 
question, as already described above, is to what extent the problems with the 
incompleteness of the global store model are due to the particular choice of the 
abstraction level. 

In any case, we expect that our approach provides an appropriate basis for 
specifying such high-level object-oriented programming mechanisms like subtyp- 
ing, abstract types and inheritance. 
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Abstract. Several extensions of tree automata have been dehned, in 
order to take in account non-linearity in terms. Roughly, these automata 
allow equality or disequality constraints between subterms. They have 
been used to get decision results, e.g. in term rewriting. One natural 
question arises when we consider a language recognized by such an au- 
tomaton: is this language recognizable, i.e. are the constraints necessary? 
Flere we study this problem in the class REC^ corresponding to com- 
parisons between brothers and we prove its decidability. It gives e.g. a 
decision procedure for testing whether the image by a quasi- alphabetic 
homomorphism of a recognizable tree language is recognizable. 



1 Introduction 

Even if many concepts in tree languages can be viewed as extensions of the 
word case, some new difficulties and phenomena arise when we consider trees, 
in particular ’’non-linearity” (a term is non linear if it contains two occurrences 
of the same variable). For example, the family of recognizable sets is not closed 
under non-linear homomorphism. Actually tree automata can’t deal with non 
linear terms: e.g. the set of terms containing an occurrence of f[x, x) is not 
recognizable. As non linear terms occur very often, e.g. in logic or equational 
programming, several extensions of tree automata have been dehned, in order 
to take in account non-linearity in terms. 

The hrst one is the class of automata with equality tests (Rateg automata) 
[13]; unfortunately, the emptiness property is undecidable for this class. Several 
’’decidable” classes have then been dehned, dealing with restrictions to the tests 
in order to keep good decidability and closure properties. 

First, Bogaert and Tison [3] introduced REC^ automata (tree automata with 
comparisons between brothers) and denoted REC^ the set of languages recog- 
nized by these automata. The rules use tests in order to impose either equal- 
ities, or differences between brother terms: rules like f{q,q)[xi — * 2 ] ?i or 
f{q,q)[xi yf * 2 ] ?2 ^re allowed. The emptiness problem in REC^ has been 

proved decidable in [3] and the class has good closure properties. 

One more general class with good decidability properties has then been intro- 
duced (Caron et al. [5,4,6]): the class of reduction automata, which roughly allow 
arbitrary disequality constraints but only hnitely many equality constraints on 
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each run of the automaton. By using these classes interesting decision results 
have been got; for example, the encompassment theory ^ can be shown decid- 
able by using reduction automata and decidability of ground reducibility is a 
direct consequence of this result ([7]). 

One natural question arises when we consider a language recognized by an au- 
tomaton with tests: is this language recognizable, and in this case can we com- 
pute the corresponding ’’classic” automaton? In other words, can we decide 
whether ’’constraints are really necessary to dehne the language”? Getting rid of 
constraints allows e.g. to use classical algorithms for recognizable sets. For the 
class of reduction automata, this problem contains strictly the decidability of 
recognizability for the set of normal forms of a rewrite system, problem solved 
but whose proofs are very technical [12,14]. 

Here we give a positive answer to this problem for RECji languages: we can 
decide whether such a language is recognizable (and compute a classic automa- 
ton when it exists). This partial result has some interesting corollaries; it gives 
e.g. a decision procedure for testing whether the image by a quasi-alphabetic 
homomorphism of a recognizable tree language is recognizable. (This result can 
be connected with the cross-section theorem; the cross-section theorem is false in 
general for trees; it is true when the morphism is linear [1], or when the morphism 
is quasi-alphabetic and the image is recognizable. It is conjectured true when 
the image is recognizable [8]). The result can also be used to decide properties 
of term rewrite systems. When a rewrite system R has ’’good” properties (same 
occurrences of a variable are ’’brothers”: it includes the case of shallow systems 
[11]), it gives a procedure to test recognizability of the set of normal forms of 
R which is much easier than the general one and it allows testing whether the 
set of direct descendants R(L) is recognizable for a recognizable language L: 
testing these properties can be useful e.g for computing normalizing terms, for 
computing reachable terms... ([15], [10]). 

The spirit of the proof is natural: we dehne a kind of ’’minimization” very sim- 
ilar to the classical one (Myhill-Nerode theorem for tree languages [9,6]). The 
difficulty is to extend the notion of context by adding equality or disequality 
constraints. Then the point is that in the ’’minimized” automaton, it should 
appear ’’clearly” whether the constraints are necessary or not: e.g., when we 
get two rules f{q,q)[xi — *2] — t ?i and f{q,q)[xi 7^ 2^2] — t ?2, with qi and 52 
non equivalent, it should mean that we need the constraints and so that the 
language is not recognizable. Actually, the proof is a little more intricate and h- 
nite languages can disturb the ’’natural” minimization. E.g. the ’’minimized” 
automaton associated with the recognizable language h*({f(a,a),f{h,b)}) is 
a q,h ^ q,f{q,q)[xi — X'j] —7- qf,h(qf) — S- qj and then uses constraints. 
So, a hrst step of the proof is devoted to eliminate these degenerate cases. 

After basic dehnitions given in Section 2, REC^ automata are introduced in 
Section 3. The Section 4 is devoted to the proof. 

^ The encompassment theory is the set of hrst order formula with predicates redt{x), 
t term. In the theory redt(x) holds if and only if 2 : is a ground term encompassing t 
i.e. an instance of t is a subterm of x. 
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2 Preliminaries 

The set of nonnegative integers is denoted N and N* denotes the set of finite- 
length strings over N. For n G N, [n] denotes the set {1, . . .,n}, so that [0] is 
another name for the empty set 0. 

An alphabet S is ranked if if = Up Up where Up ^ % only for a hnite number 
of p’s and the non empty Up are hnite and pairwise disjoint. Elements of Up are 
said to be of anty p. Elements of arity 0 are called constants. We suppose that 
U contains at least one constant. 

Let T be a set of variables. A term over UUX is a partial function t : N* — UUX 
with domain T'os{t) satisfying the following properties: 

- Vosit) is nonempty and prehx-closed; 

- If t[a) e Un, then {i £ N | ai £ Vos(t)} — {1,2,..., n}; 

- If t{a) £ X , then £ N | ai £ Vos{t)} — 0. 

The set of all terms (or tree.?) is denoted by Ts(X). If T = 0 then Ts{X) is 
denoted by Tjj. Each element of Vos{t) is called a position. 

Let t £ Tj](X) and p £ Vos{t). We denote by t\p the subterm of t rooted at 
position p and by t(p) the label oft at position p. Vt £ [n] such that pi £ Vos{t), 
t\pi is said to be a son of the label t{p). 

Let Xn be a set of n variables. A term C £ TA(T'„) where each variable occurs 
at most once in C is called a context. The term C[ti , . . . , t„] for ti,.. .,tn £ TA 
denotes the term in Ts obtained from C by replacing for each i £ [n] Xi by ti . 
We denote by C" (U) the set of contexts over n variables {x\, and C{U) 

the set of contexts containing a single variable. 

3 Tree Automata with Comparisons between Brothers 

Automata with comparisons between brothers [REC^ automata) have been 
introduced by Bogaert and Tison [3]. They impose either equalities, or dif- 
ferences between brother terms. These equalities and differences are expressed 
by constraint expressions. Here we will restrict to dehne normalized-complete 
REC^ automata (each REC^ automaton is equivalent to a automaton called 
normalized-complete automaton [3]). 

Rules of normalized-complete REC^i automata impose, for each pair {pi,pj) of 
positions of a term t where p is a position and i ^ j £ N, that t\pi — t\pj or 
t\pi t\pj. These comparisons are expressed by full constraint expressions. 

First, we define the notion of full constraint expressions. Then we give the defi- 
nition of normalized-complete REC^ automata. 

Definition 1. A full constraint expression c over n variables (*i)ig[n]j u £ N, 
(in the following Xi will always denote the i** son of a node) is a conjunction of 
equalities Xi — Xj and of disequalities Xi ^ Xj such that there exists a partition 
[Ei)i(zifn] of[n], m<n satisfying: 

- A A xi - Xn A A A ^ (1) 

k^[m] 1,1'^Ek k ,k‘ ^\rn\,k:^k' 

We denote c = in order to simplify the notation, card{c) = m the 

cardinality of c and the set of full constraint expressions over n variables. 
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For example, CE'^ = {({1, 2, 3}), ({1, 2}, {3}), ({1, 3}, {2}), ({2, 3}, {!}) , ({1}, 
{2},{3})}. 

In the case n = 0, the full constraint expression over no variable is denoted by 
T (null constraint). 

Definition 2. A tuple of terms (ti)i^[n] satishes a full constraint expression c 
iff the evaluation of c for the valuation (Vi < n,Xi = ti) is true, when “=” is 
interpreted as equality of terms, as its negation, “T” as true, A as the usual 
boolean function and. For example, the tuple of constants (a,b,a) satishes the 
full constraint expression x\ ^ X 2 !\ x\ — !\ X 2 

Let us remark that if c and c' are full constraint expressions over n variables 
then c A c' is unsatishable if c ^ c' . 

Definition 3. Let c be a full constraint of and {qi)i^[n] be a n-tuple of 

states. We say that (?i)ig[n] satishes the equality constraints of c if for Vfe,/ G 
[n] , (c =y {^X}^ — ^0) idk — qt) ~ 

Let us now dehne normalized-complete REC^ automata. 

Definition 4. A normalized-complete automaton A with comparisons between 
brothers (normalized-complete REC'^ automaton) is a tuple (E,Q, E,TZ) where 
17 is a ranked alphabet, Q a hnite set of states, F’ C Q a set of hnal states and 
TZ C (J^. E{ X C Ef X a set of rules (a rule (/, c, g^, . . . , g„, g) will be denoted 

/(?!, • • ■,qn)[c] q) with: 

• A deterministic i.e. for all rules f{rji , . . . , g«)[c] — g and f(rji , . . . , gn)[c] — ?■ 
q', q = q'; 

• For each letter / G I7„, each n-tuple {qi)i^[n] C Q, each constraint c of 
C E'^ such that (gi)ig[n] satishes the equality contraints of c, there exists at 
least one rule /(gi, . . . , gn)[c] — ?■ g; 

• And for each letter / G E„, each n-tuple (qi)i£[n] £ Q, each constraint c 
of CE'^ such that {qi)ie,[n\ doesn’t satisfy the equality contraints of c, there 
exists no rule /(gi, . . . , gn)[c] — ?■ g G 7?.. 

Let / G I7„ and (L')ie[n] be terms of Tjj. The relation is dehned as follows: 

f{ti, 1„) A.4 q if and only if 

f 3/(gi, . . . , qn)[c] ^ q £ TZ such that Vi G [n],t{ A .4 qi 
y and (L)i£[n] satishes the constraint c 

Let g be a state of Q. We denote by /7.4(g) the set of terms t such that t A .4 g. 
A tree t G TA is accepted by A if there exists a hnal state g such that t G jCj,{q). 
The language C{A) recognized by A is the set of accepted terms. We denote by 
REC^ the set of tree languages recognized by the class of REC^ automata. 
Example 5. Let A = ({a, h, /}, {g, qj, gp}, {g/}, TZ) with TZ\ 

a^q h{q) ^ q h{qj) ^ qp 

Htp) qp f{q, q, q)[c] qj fiq, q, q)W] qp W g ce'^ \ {c} 

f{qi,q2,q3)W] qp V(gi,g2,g3) e Q^\{{q,q,q)}, Vc® g CE'^ 

where c is the full constraint expression x\ = X 2 t\ xp, x\ l\xp, ^ X 2 - Then A 
recognizes the language {/(/i”(a), h"(a), h’"(a)) \ m, n ^ A, m ^ n} . 




154 



Bruno Bogaert et al. 



4 Recognizability Problem 

We consider the recognizability problem in the class REC^: 

Input: A ranked alphabet E and a language E G REC^. 

Question: Is E recognizable? 

We will prove that the recognizability problem is decidable; furthermore, when 
the input language is recognizable, our algorithm computes a corresponding tree 
automaton. 

The idea of the algorithm is the following: we dehne a kind of minimization, close 
to the classic one (Myhill-Nerode theorem for tree languages [9,6]) but dealing 
with constraints: roughly, two states will be equivalent, when they have the same 
behaviour for the same context with constraints. This needs dehning constrained 
terms which are terms labeled with equality and disequality constraints. Then, 
the point is that, when the reduction works well, it should be the case that non 
necessary constraints are dropped. For example, let us suppose that we have 
two rules f{q,q)\_xi = X 2 ] — 7 - qi and f{q,q)[xi ^ * 2 ] 52 ! when qi and 52 3’i’e 

equivalent, it means that the constraints are not necessary. 

However, the reasoning fails when the language associated with a state is hnite: 
a ^ q,b ^ q,f[q,q)[xi — X 2 ] — t q/ use constraints to dehne the hnite (thus 
recognizable) language {/(a, a), /(&, &)}. So in a hrst step, we eliminate states q 
s.t. Cji,{q) is hnite (section 4.1). Then we extend the notion of context to take 
in account equality and disequality constraints (section 4.2) and then, we dehne 
and compute ’’the” reduced automaton (section 4.3). Finally, we prove that the 
language is recognizable iff the reduced automaton is not ’’constraint-sensitive” 
(section 4.4), i.e. two rules whose left-hand-side differ only by constraints have 
the same right-hand-side. We deduce decidability of the recognizability problem 
in the class REC^i and obtain an effective construction of the corresponding 
automaton, when the language is recognizable. 

4.1 How to reduce to the ’’infinite” case 

Let E G REC^ and A = (E, Q, E, TZ) be a normalized-complete REC^ automa- 
ton recognizing E . Let us suppose that there exists at least a state q of A such 
that Cj^{q) is finite. Let us denote: 

El- [J C-Aiq) and E2 - [J i^A{q)- 

q^F,CA{q) finite q^F,CA{q) infinite 

Since C{A) = El yjEq and Ei is finite, C{A) is recognizable iff Eq is recognizable. 
The language Eq is recognized by the REC^ automaton = {E, Q, E' , TZ) where 
E' — {q\q ^ EjC^iq) infinite}. We construct a new alphabet E by encoding, for 
each state q such that C^iq) is finite, the terms of C^iq) in the symbols of F. 
We define a REC^ automaton B' on F and a linear morphism ip from Tr(T') 
onto Tjq[X) such that for each state q of B' , C^'iq) is infinite and such that 
ip(C{B')) = C{B) and Lp~^(C(B)) = C(B'). We deduce that (C{B) is recognizable) 
O [C{B') is recognizable) since p> is linear (the entire proof can be found in [2]). 
We deduce that the general case can be reduced to the infinite case since for 
each state q of the automaton B' , Cs'iq) is infinite. 
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Before studying the ’’infinite” case, let us give an example of construction of 
B' and ip. Let E = {a/0,//2} and B = {E,Q, F' ,TZ) where Q = {q,qp,qf}, 
F' = {qj} and TZ is composed of the following rules: 

a -t g /(g,g)[*i = * 2 ] -t g/ 

/(g/)g/)[*i = *2] -t g/ /(gp,gp)[*i = *2] -tgp 

/(gi,g 2 )[*i 5 ^ X 2 ] qp V(gi,g 2 ) e {Q X Q) 

B is a normalized-complete RECp automaton. Obviously Ctsiq) = {a} and, 
Csiqp) and Csiqf) are inhnite. Then we consider □ a symbol not in E and we 
dehne the alphabet F - {f(o,o),f(o,a),f(a,o),f(a,a)}- 

Then B' = [F,Q' ,F' ,TZ') is the RECp^ automaton where Q' — {gp,g/} and RJ 
is composed of the following rules: 

f{a,a) — t g/ /(□,D)(gi, g2)[*i 7^ *2] — t qp V(gi, g2) e {Q' x Q') 

/(□,a)(gi) — t qp Vgi e Q' /(□,□) (g/ 1 g/)[*i = *2] — t g/ 

/(a,D)(g 2 ) qp Vg 2 C Q' f{u,o){qp, qp)[xi = * 2 ] qp 

And p : Tr(X) — Ts(X) is the linear morphism dehned as follows: 

= f{a,a) = f{xi,a) 

^(/(□, □))(*!, * 2 ) = f(xi,X2) ‘p{f{a,a)){xi) = f{a,Xi) 

So we can suppose in the rest of the proof that for each state g of the normalized- 
complete automaton A = {E, Q, F, TZ) recognizing F, C^iq) is inhnite. 

4.2 Constrained Terms 

In the class of recognizable tree languages, an equivalence relation using contexts 
is used in order to minimize the automata (Myhill-Nerode theorem for tree 
languages [9,6]). We dehne a similar notion in the class of RECp, automata. 
As the rules of RECp automata contain comparisons between brother terms, 
we introduce the notion of terms imposing equalities and disequalities between 
brother terms, these comparisons being expressed by full constraint expressions. 
Such terms are called constrained terms. The label of a constrained term at a 
position p is the combination of a symbol and of a full constraint expression 
c such that the equality constraints of c are satished by the sons of the label 
and such that there is no disequality constraint between equal ground sons of 
the label. Leaves of a constrained term may also be states or occurences of an 
unique variable. 

More formally, let * be a variable and E' be the ranked alphabet dehned by 
Vn G N, E)^ — {fc I / G E„,c G CE'^}. A constrained term C over 17 U Q is 
a term of Ts'{Q U {*}) where the states of Q are constants and Vp non leaf 
position of (7, 3n > 0, such that C{p) = fc £ E'„ with: 

• The n-tuple (C7|pi)jg[„] satishes the equality constraints of c; 

• c contains no disequality constraint between equal ground sons i.e. Vi, j G 

[u], (Ci|pf G Tx!’ and )xi — Xj)). 

Example 6 . Let g,f e E2 and gi,g 2 G Q- Then fc(gc' {qi, x) , 9c'{q2, x)) with 
c = [xi = X2] and c' = [xi * 2 ] is not a constrained term since gc'(qi,x) 
gc'{q2, x). But fc{gc'{qi,x),gc'{Ti,x)) with c =[xi- X2] and c' = [xi *2] is a 
constrained term. 
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Constrained terms are terms hence we use the usual notion of height of a term on 
constrained terms with height(c) = 0 if c G QU {x} and height(c) = 1 if c G I7g. 
Let C7 be a constrained term and q ^ Q, we denote by C[q] the constrained term 
obtained from C by replacing each occurence of x by q. 

Run on constrained terms We extend the notion of run on terms to run on 
constrained terms. Let (7 be a constrained term and q,q^ be states. We denote 

C'[q] q' iff 

• Either C = q' oy [C = x and q = q')] 

• Or C = fc(Ci, . . . , Cn) with fc G (Ci)i^[„] constrained terms such that 
Vi G [n] C'i[q] qt and /(gi, . . . , q„)[c] ^ q' e TZ. 

Let us now extend the notion of run to run between constrained terms. Let C, C 
be constrained terms and g be a state. We denote C[q] — C iff there exists a 
set P of positions of C such that: 

• Vp G P, C'lp G Q and C[q]\p 4^ C\p] 

• Vp G Vos{C) not prehxed by a position of P, C'(p) = C7[g](p). 

4.3 Minimization 

Definition 7. let =a be the relation on Q defined by for all q,q' ^ Q, q 
if for each constrained term C, {C[q\ -^a qi (E F C[q'\ F^a Q 2 E F). 

The relation =a is obviously an equivalence relation. In the following, we as- 
sociate with the automaton A a normalized-complete REC^ Am said ’’mini- 
mized” whose states are the equivalence classes of the relation =a and such that 

C{A) = C{AJ. 

First we prove that the equivalence classes of the relation ~a are computable. 
Then we define the automaton Am ■ 

Equivalence Classes Algorithm EQUIV 

input: Normalized-complete REC^ automaton A '■= {E, Q, E, TZ) 

begin 

Set P to {P, Q \ E} /* P is the initial equivalence relation*/ 

repeat 

P' := P 

/* Refine equivalence P' m P * / 

qPq' if qP' q' and VC constrained term of height 1, 

C[<l] ^.4 qi and C[q'] g 2 with qiP'q2 

until P' - P 

output: P set of equivalence classes of =a 

end 

We denote by g the equivalence class of a state g w.r.t. P, the set computed by 
the algorithm EQUIV. Let us prove that the algorithm EQUIV is correct i.e. 
that P is the set of equivalence classes of =a (Lemma 10). First we consider 
two rules whose left hand sides differ only by replacing all occurences of one 
state bounded by equalities imposed by the constraint by a state of the same 
equivalence class w.r.t. P. Then we prove that the right hand side of the two 
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rules belong to the same equivalence class w.r.t. P (Lemma 8). We deduce that 
the equivalence classes w.r.t. P are compatible with the rules of the automaton 
A (Corollary 9). 

Lemma 8. Let f{qi , . . . , g„) [c] — s- g £ 7?. and f{q[, • • • , g(j)[c] q' £ 7?. such 
that there exists j £ [u] such that qj £ g' , Vi £ [u], ((c =p Xi — Xj) =p g( = g') 
and ((c =y Xi ^ xj) =p g- = gf). Then q £ gb 

Proof. First the rule /(g( , . . . , g(j)[c] q' is well dehned since we can prove 
that {q')i^[n] satishes the equality constraints of c. Let us now consider the 
constrained term C defined by head{C) = fc and for each i £ [n] if c => Xi — Xj 
then C'(i) = x else C{i) = g^. 

Obviously Vi £ [n], ^[gjjli = /(gi, • • • , qn)\i then ^[gj] g. Let us now prove 
that Vi £ [u], ^[g'jli = /(g(, . . . , q'^)\i. Let i £ [n]. If c =p Xi - Xj then g( = g' . 
Then C[q'^\i = g' = q- = /(g'l, . . . , q'^)\i. If c ^ Xi 7 ^ Xj then ^[g'jli = qi = g( = 
/( 7 I, • --P/Jli- Hence Vi £ [n],C[q'j\\i = f{q[,. . . , q'Jli then C[q'^ q' ■ 
Moreover f7 is a constrained term of height 1 hence according to the EQUIV 
algorithm, we have q ^ q' since qj £ gt which ends the proof of Lemma 8. 

Corollary 9. Let /(gi , . . . , gn)[c] — ?■ g £ 7?. and f{q[, . . . , g(j)[c] — g' £ 7?. such 
that Vj £ [u] qj £ g' . Then q £ gb 

Let us now prove that the algorithm EQUIV is correct. 

Lemma 10. P is the set of equivalence classes of =a i.e,: 

Vg,g' eQ{q=A q') <p{q ^ q' ■) 

Proof. First, we can prove that Vg,g' ^ Q (q ^ q') ^ (g ^a q') by induction 
on the step of the algorithm EQUIV where q ^ q' appears. We deduce that 
Vg,g' eQ {q=A q') ^ (g e gO- 

In order to prove the implication <^, we hrst prove that: 

Vg, q' £ Q, g £ g' => ( VU constrained term < * =y (s £ s') 

\ [ bi[g ] — 7- .4 s 

by induction on the height of the constrained term. Let g, g' £ Q such that q ^ q' 
and C a constrained term such that C\_q\ -^a s and ^[g'] — 7 -^ s'. 

C of height 0: Either C £ Q: Hence 3g” £ Q such that C — g” . ^[g] = 
C[q'] = g” hence s — s' — q” . Finally s £ s'; 

Or C — x: (7[g] = g and ^[g'] = q' hence s — q and s' = g'. Finally s £ s' 
since q d q' . 

Induction hypothesis: Let £ N. Let us suppose that the property is true 
for all constrained term C of height less than or equal to k. Let U be a 
constrained term of height Ar+1. There exists / £ Sn,c £ C E!^, (Ci)i^[„] 
constrained terms such that C — fc{C\, . . . ,C„). According to induction 
hypothesis, Vi £ [u], ^^[g] -A- a qi and Ci[q'] A- a q) with qi £ g(. 
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(C'j)jg[„] satisfies the equality constraints of c. Moreover A is deterministic 
hence Vk, I G [n] such that c =y (xk = *;), we have = qi and = g[ since 
Ck = C'l. We deduce (qi)i£[n] and {qi)i£[n] satishes the equality constraints 
of c. Hence since A is normalized-complete, there exists f(gi , . . . , g„)[cl — 
s e and f(q[, . . -,q'„)[c] s' G 7^. 

Moreover Vi G [n], qi G g,'. We deduce from the Corollary 9 that s G s'. 

At the beginning of the execution of EQUIV, P — {F, Q \ F}, hence: 

VgGC,Vg'GQ,(g'Gg')^(g^GC’) (2) 

since at each step of the algorithm gPg'. We deduce that Vg, g' G Q (q 
(g' ^ g) which ends the proof of Lemma 10. 

Let us now define the automaton Am- Let us denote g the equivalence class of a 
state g w.r.t. =a- Let Am = (Lf, Qm, FmjP-m) dehned as follows: 

• Qm is the set of equivalence classes of =a- 

• Fm - {q \ q G F}. 

•Tim - {/(g'l, • • • , qn)[c] -t g I Vf G [n] 3q'- G qi, 3g' G g 

such that f(q[, q'„)[c] g' G TZ}. 

We prove now that Am is a normalized-complete RECyi automaton (Lemma 11) 
and that C{A) = C{A^) (Lemma 12). 

Lemma 11. Am c* normalized-complete REC^ automaton. 

Proof. First we prove that Am is deterministic. Let /(g'l, . . •,?'n)[c] — t g G Tim 
and /(gi, . . . , gn)[c] — s G Tim- According to the dehnition of Tlm- 

• Vi G [u], 3g' G gV, 3g' G g such that /(g), . . . , q'J[c] -G- q' gTI. 

• Vi G [u], 3g'' G <fi, 3s' G s such that /(g)', . . . , g")[c] -G s' gTI. 

Vi G [u] q'i G q'i hence according to Lemma 8, s' G g'. Then q — s since q — q' , 
s — s' and g' = s'. Finally Am is deterministic. Let us now prove that Am 
is normalized-complete. Let / G ifn, gi, . . . , g'n G Qm and c G CE'^ such that 
{qi)ie[n] satishes the equality contraints of c. 

Let (g')ig[n] such that Vi G [u] q'i G <fi and \tk,l G [u] (c =y [xk = *;)) 

(g) = g(). The last condition is possible since \tk,l G [u] (c =y [xk = *;)) 

(gV, = qi) and {qi)i^[n\ satishes the equality contraints of c. (g))iG[n] satishes the 
equality contraints of c and A is complete hence 3/(g) , . . . , g)^)[c] -G q G Tl. 
Hence /(g), . . . , g(j)[c] -G q G Tim according to the EQUIV algorithm. Moreover 
Vi G [n], we have rp - q'- hence /(g'l , . . . , g'„)[c] g G Tim - 

Finally, we deduce Am is a normalized-complete REC^ automaton which ends 
the proof of Lemma 11. 



Lemma 12. C{A) = T(M„). 
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Proof. First we can prove by induction on the height of t that Vt C C 

Q, (t q) => (f q)- We deduce that C{A) C 

Then we deduce C C{A) from the property (2) and the following prop- 

erty: 

'ii ETs,'^qE Q,{t -^Arr, q) => i^q' £ q such that t q'). 

We deduce that C{A) = which ends the proof of Lemma 12. 

Remark 13. We can prove easily that Vg G Qm, ^Ami.q) i® inhnite and that 

Vg, q' eQm, {q q') <p{q^ q')- 

4.4 Characterization 

Let Al be a normalized-complete RECji automaton. According to the Section 4.3, 
we can consider automata satisfying properties of Remark 13. We give now 
a necessary and sufficient condition for the language recognized by A to be 
recognizable. 

Proposition 14. Let A = {E,Q, F,TZ) be a normalized-complete RECji au- 
tomaton such that for each state q of A, CA{q) infinite and such thatfiq,q' G 
Q, {q ~A q') {q — q'). Then C{A) is recognizable if and only if for all rules 
/(?!,• • ■,qn)[c] -t g, /(gi, . . . , qn)[c'] -t g' ofTZ, we have q - q' . 

In order to prove Proposition 14, we need some technical lemmas. First, since the 
language recognized by each state of Al is inhnite, we prove that we can ’’instan- 
tiate” each constrained term to a ground term. In fact we prove (Dehnition 15 
and Lemma 16) that we can associate with each constrained term over EU Q a 
constrained term over E without occurence of x by replacing each occurence of 
a state g by an element of CA{q) and each occurence of x by an element of an 
inhnite set of ground terms. 

Definition 15. Let C be a constrained term. We denote: 

• V{C) the set of variable positions of C: V{C) = {p G Vos[C) \ C{p) = x} . 

• S{C) the set of state positions of C: S(C') = {p E VosiC) \ C{p) G Q}. 

• For each q E Q, S(C)(q) = {p E S(C) \C{p) = q}. 

Lemma 16. Let C be a constrained term over E U Q and T be an infinite set 
of terms ofTjj. There exists a constrained term C over E without occurence of 
X such that: 

. Vp G Vos(C) \ (V(C)US(C)), C'(p) = C{p), 

• Each variable of C is replaced by a constrained term associated with an 
element of T i.e. Vp G V{C),3t E T, C\p = laffi, 

• Each state of C is replaced by a constrained term associated with an ele- 
ment of the language recognized by the state i.e. \tq G Q, Vp G S{C){q), 3t E 
CA{q), C'\p = laht, 

where laffi denotes for each term t the constrained term over E obtained from 
t, I.e. Vp G Vos{t), if t(p) = f E E„, n > 0, then labt(p) = /c with c the full 
constraint satisfied by (t|pi)iG[n]) labt(p) = t{p). 
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Proof. Let C7 be a constrained term over SU Q and T be an infinite set of terms 
of Tjj. First let us deduce from the full constraint expressions of each position 
of C , full constraint expressions between the positions of C where the variable 
X occurs and between the positions of C where the same state occurs. 

In fact if we consider the positions where the variable x occurs (positions of 
V(C)), we express all the equalities between these positions imposed by the con- 
straints of C- When none equality is imposed between two positions we impose 
a disequality since : 

♦ Constraints impose only equalities between brothers hence between terms 
whose positions have the same length. 

♦ According to the dehnition of constrained terms, equalities are only im- 
posed between equal terms in a constrained term. 

We can do the same for positions of S{C){q) for each q of Q. 

More formally, for each position p of C such that C{p) ^ S' , we denote contc(p) 
the constraint obtained by projection from S' onto and we define Vp G 

S(C) U V(C) a variable Zp. We denote the full constraint expression over 

(zp)peV{C) and Vg G Q,cs{c){q) the full constraint expression over {zp)p^s{C){q) 
dehned as follows: 

1. We express the equalities imposed by the constraints: 

Vp G Vos{C), yi,j (contc(p) =b = Xj)) =y V 7 such that Zpi^ defined 
f ^pi"f G V(C1) =7 i^Zpij — Zpjp') G 

\^pi^ G S{C'){qf q ^ Q ^ i^pij — ^pjz) ^ 

2. We apply the transitive closure to express all equalities: 

i^Pi ~ ^P2 d' ^P2 ~ ^Ps) £ Cv{c) {^Pl — ^Ps) £ Cv{c)- 
Vg G Q, = Zp^ P Zp 2 = Zp^) G cs{c){q) {zpi — Zp^) G cs{c){q)- 

3. Vp, P G V ((C) ,P^P, {Zp — Zpi) Cy (p;) =y {^Zp 2^2 Zpi ) G , 

4. Vg G Qj'fPjP G >5((C)(g),p yf p ,{zp — Zp') cs(c)(q) ^ (^p ^ ^p') ^ 

CS{C){q)- 

Since T is inhnite and Vg G Q, C-a{i) is inhnite, there exists {tp)p^v(C) V T and 
Vg G Q, (fp)p 65 (c)(g) G £^(g) such that: 

1 . Vp G V ((C) Ui5((C) , tp is of height strictly greater than height of C and strictly 
greater than height of terms of the set {tpi \ p' G V((C) U S{C), length of p' 
strictly less than length ofp}. 

2. VpGV(C),Vp'G5(C),fp /V- 

3- Vg,g', g yf g', Vp G 5(<C)(g),Vp' G 5(<C)(g'), tp yf tp,. 

4- (fp)pev(c) satishes Cv(c)- 

5. Vg G Q,{tp)pes(c)(q) satishes C 5 (c)(g). 

Let us remark that point point3 is satished for all families of terms since A is 
deterministic. Let C be the term of Ts> dehned as follows: 

♦ Vp G Vos{C) \ (V(C) U 5(C)) C'{p) = C{p); 

. VpGV(C)u 5(C) C'|p = labt,. 
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For each p C V(C'), p' C >5(6^), constraints of C impose Zp Zpi since C(p) ^ 
C(p'). This constraint is satished by labj^ and labj , according to previous 
points 1 and 2. Similarly for each p C S(C)(q), p' C S{C){q'), q ^ q' , con- 
straints of C impose Zp yl: Zp/. This constraint is satished by lab^^ and labj^, 
according to previous points 1 and 3. We deduce that C is a constrained term 
over IJ without occurence of x which ends the proof of Lemma 16. 

Let us now prove that we can ’’instantiate” each constrained term over U Q 
to a constrained term over S by replacing each occurence of a state q by an 
element of Cj^{q) (Dehnition 17 and Lemma 18); similarly, given an inhnite 
set of ground term T, we can ’’instantiate” each constrained term over S by 
replacing each occurence of * by a constrained term associated with an element 
of T (Lemma 19). 

Definition 17. Let 67 be a constrained term over UU Q. A state-instance of C 
is a constrained term obtained from 67, replacing each state g by a constrained 
term labj , t G (q) . 

Lemma 18. There exists a state-instance of each constrained term. 

Proof. Let 67 be a constrained term and 67' be a constrained term obtained from 
67 according to Lemma 16. Let 67" be the constrained term dehned by 

. Vpe7>os(67)\V(67),67"(p) = 67'(p); 

• Vpe V(67), 67"|p = 

67” is obviously a state-instance of 67 which ends the proof of Lemma 18. 

Let us remark that when 67' is a state-instance of a constrained term 67, then 
Vg G Q, (67[g] — s =P 67' [g] — s). 

Lemma 19. Let C be a constrained term over U and T be an infinite set of 
terms ofT^. There exists {tp)p^v(c) G T such that 67' defined by 
. Vpe7>os(67)\V(67),67'(p) = 67(p); 

. Vpe V(67),67|'^ = /a6t^, 

IS a constrained term. 

This lemma is an immediate corrolary of Lemma 16. Let us now prove that the 
condition of Proposition 14 is necessary. 

Lemma 20. Let us suppose that there exists two rules ofTZ, /(gi, . . . , ?n)[c] — ?■ 
g and f{qi,...,qn)[c'] <l' such that c c' and q g'. Then C{A) is not 

recognizable. 

Proof. Let us suppose that C{A) is a regular tree language: there exists B = 
(17, Q, F, A) a deterministic and complete bottom-up tree automaton recognizing 
it. For each q E Q, we denote Csiq) the set of terms t of Tjj such that t -As q{t). 
Let us recall the following basic property: 
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Property 21. 'iC £ C'^{S),'iq £ Q,V(ti)ie[n] e (?) , V(t')ie[n] e Csiq) 

The sketch of proof is the following: we construct two terms, saying ti and <2 
such that fi belongs to C{A) and t2 does not. Furthermore, t\ and <2 will differ 
only on some positions p where ti (p) = t'jip) = / but subterms at these positions 
in ti satisfy the constraint c while in t'l, subterms at the same positions satisfy 
the constraint c' . 

From t\ and t2 we deduce a general context Cg, intuitively the common prefix 
of ti and t2, such that there exists qjs state of B, and (uj-)jg[„] terms 

ofTe(gs), such that Cg[{up)] £ T(. 4 ) and Cg[{u'p)\ ^ C{A). This will contradict 
Property 21 since we supposed that C{A) is recognizable. 

Since A is complete, we can suppose without loss of generality that c and c' 
differ only by the splitting of a set, i.e. 3 [Ek)keK , b, J C [n] such that: 

c = {{Ek)k(2K, bU J), card{c) = + 1 ; 

c' = ((Ek)keK, I, J), card(E) = k + 2 . 

q ^ q' hence q q' . We deduce that there exists a constrained term C over 
EUQ such that {C[q] s E E ^ C[q'] A^ s' ^ E). We stand that s E E and 
according to Lemma 18 , there exists C a state-instance of C . C[q] — s since 
C[q] Ax s and C[q'] Ax s' since C[q'] Ax s' . 

Let us consider the constrained term E\ — fc{s\, . . . , Sn) where 'ih E IE>J , Sk — x 
and yk ^ I U J , Sk — qk- Lemma 18 ensures the existence of a state-instance E( 
of El. Then E[[qi] Ax q since T’lJgj] Ax q- 

Let C'l be the constrained term C[E[\ and qj be the unique state present in the 
rule r at positions belonging to / U J. The run on Ci[qj] leads to the final state 
s since C\[qi] = C[E[[qi]] Ax C[q] Ax s. 

The constrained term E2 is obtained from Ei by replacing the root symbol fc by 
fp. Hence, E2 and Ei have the same projection onto Ts ({*}). From Lemma 18 
there exists EI^ a state-instance of E2. E2 is choosen in such a way that root 
subterms at the same position k ^ I U J in E{ and Elg are identical (remember 
that c and c' only differ by the splitting of /U J into I and J). Then Elg^qi] Ax q' 
since E2[qi] Ax q' ■ 

In the same way as previously, C2 denotes C[EI^. Let us notice that E[ (resp. 
C'l) and E2 (resp. C2) have the same projection onto Ts({x}). The run on C'2[9/] 
leads to the non hnal state s' since Ab/] — C'[-A[?/]] “tx C[q'\ — 7 -x s' . 

As we supposed that C{A) = C,{B) and as Cji{qi) is infinite then there exists qe 
state of B such that the set T — Cji{qi) H CsiqB) is infinite. 

As T is infinite, and according to Lemma 19 , there exist terms (up)pgv(Ci) G T 
such that C'l dehned by 

. Vp £ Vos{Ci) \ V(Ci), Clip) = Clip)-, 

• Vp £ V(C'i),C'(|p = lahu^, 




The Recognizability Problem for Tree Automata with Comparisons between Brothers 163 



is a constrained term. As Vp, qj, the run of this constrained term is 

the hnal state s. The term t\, projection of C[ onto Tjj satishes t\ C C[A). 

In the same way, there exist terms (Mp)p 6 V(C 2 ) £ T such that C '2 dehned by 

. Vp e Vos{C 2 ) \ V{C 2 ), q(p) = C 72 (p); 

• Vp e V{C2),C'2\p = 

is a constrained term and the run ofC^ is the non final state s' . As A is deter- 
ministic, t 2 , the projection of C '2 over Tjj does not belong to C{A) . 

Let Cg be the projection of C\ onto Tj; ({*}) (which is the same as the projection 
of C' 2 )- Cg is a context -without labels- over a single variable x. 

We replace each occurence of x in Cg by distinct new variables: it results a 
context Cg over distinct new variables (*p)p 6 V(Cg) dehned by 
. ^p(^V0s{Cg)\V{Cg),C’g{p) =Cg{p)- 

• Vp e V{Cg),C’g{p) = Xp. 

We can prove that ti £ -C(Al) = Cg[{up)] and t 2 — C'g[{u'p)]. Moreover, Vp, Up — S-g 
qs and u'g Ae ge, which contradicts the Property 21 since ti ^ A and <2 ^ -4. 
We deduce that C{A) is not recognizable, which ends the proof of Lemma 20. 

Let us now prove that the condition of Proposition 14 is sufhcient. 

Lemma 22. Let us suppose that for all rules of TZ, /(gi , • • • , 5n) [c] — t g and 
/(gi , . . . , g„)[c'] —7" q' , we have q — q' . Then C{A) is recognizable and we can 
compute a tree automaton recognizing C{A). 

Proof. Let B = (A, Q, A, A) be the tree automaton whose set of rules A is 
dehned by: V/ £ A„, V(gi)ig[„] £ Q, /(gi , . . . , qn) ^ q e A where g is dehned 
by a rule /(gi, . . . , gn)[c] — ?■ g of 7^ (g is unique according to hypothesis of the 
lemma). We easily prove that C{A) = C{B). Hence C{A) is recognizable which 
ends the proofs of Lemma 22 and of Proposition 14. 

Let A = {E, Q, F,TZ) be a normalized-complete REC^ automaton such that 
for each state g of A, Ca{q) is inhnite. According to Remark 13 and Proposi- 
tion 14, we deduce that the recognizability problem of /!(Al) is decidable. Finally, 
according to Section 4.1, we deduce the following theorem: 

Theorem 23. The recognizability problem in the class RECji is decidable. 

5 Conclusion 

We proved here that recognizability problem is decidable in the class REC^. 
It implies e.g. the decidability of recognizability of L>[C) where ^ is a quasi- 
algebraic tree homomorphism (i.e. variables occurr at depth one in a letter’s 
image) and C a recognizable language. 

It provides also a rather simple algorithm for testing recognizability of the set of 
normal forms (resp. of the set of direct descendants of a recognizable language) 
for some subclasses of rewrite systems (like shallow ones) . 
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Furthermore, the notions we dehne here -like constrained terms- could perhaps 
be extended and help to answer the two following open problems: 

Is recognizability decidable in the class of reduction automata? 

Can we decide whether the homomorphic image of a recognizable tree language 
is recognizable? 
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A Theory of “May” Testing 
for Asynchronous Languages 
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Abstract. Asynchronous communication mechanisms are usually a ba- 
sic ingredient of distributed systems and protocols. For these systems, 
asynchronous may-based testing seems to be exactly what is needed to 
capture safety and certain security properties. We study may testing 
equivalence focusing on the asynchronous versions of CCS and 7r-calculus. 

We start from an operational testing preorder and provide finitary and 
fully abstract trace-based interpretations for it, together with complete 
inequational axiomatizations. The results throw light on the differences 
between synchronous and asynchronous systems and on the weaker test- 
ing power of asynchronous observations. 



1 Introduction 

Distributed systems often rely on asynchronous communication primitives for 
exchanging information. Many properties of these systems can be conveniently 
expressed and verified by means of behavioural equivalences. In particular, may 
testing [11] seems to be exactly what is needed for reasoning about safety prop- 
erties. In this respect, an assumption of asynchrony can often play a crucial 
role. 

As an example, consider a trivial communication protocol with two users A 
and B sharing a private channel c. The protocol requires that A uses c to send 
a bit of information m to B, then B receives two messages on channels a and 
h, finally B sends, on channel d, the message received on a. The ordering of the 
inputs on a and b depends on the message received on c. In 7r-calculus we can 
formulate this protocol as follows (the meaning of the various operators is the 
usual one; in particular, {vc) stands for creation of a local channel c): 

A = cm 

B = c{x).{[x = Q]a{y) .h{z) .dy + [x = l]h{z) .a{y) .dy) 
S={vc){A\B) 

Secrecy, i.e. the ability to keep a datum secret, is an important property which 
one might want to check of this protocol: externally, it should not be possible 
to guess message m from the behaviour of the whole system S. Following [2], 
this property can be formalized by requiring that the behaviour of the protocol 
should not depend on the bit that A sends to B: in other words, processes 
S[0/m] and S[l/m] should be equivalent. The intended equivalence is here the 
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one induced by may testing: a process may pass a ‘test’ performed by an external 
observer if and only if the other process may. If one interprets ‘passing a test’ as 
‘revealing a piece of information’, then equivalent processes may reveal externally 
the same information. Now, it is easy to see that an observer could tell ^[0/m] 
and ^[1/m] apart via synchronous communication on a and b {traffic analysis). 
However, 5[0/m] and 5[l/m] are equivalent in a truly asynchronous scenario, in 
which no ordering on the arrival of outgoing messages is guaranteed. 

It is therefore important to have a full understanding of may-semantics in 
an asynchronous setting. We shall consider asynchronous variants of CCS and 
TT-calculus: in these models, the communication medium can be understood as 
a bag of output actions (messages), waiting to be consumed by corresponding 
input actions. This is reminiscent of the Linda approach [13]. In [7], we have 
provided an observers-independent characterization of the asynchronous testing 
preorders. Here, we use this characterization as a starting point for defining a 
“finitary” trace-based model and a complete axiomatization for the may testing 
preorder. 

When modelling asynchronous processes, the main source of complications is 
the non-blocking nature of output primitives. It is demanded that processes be 
receptive, i.e. that they be able to receive all messages sent by the environment at 
any time. A simple approach to this problem leads to models where all possible 
inputs (i.e. outputs from the environment) at any stage are explicitly described. 
As a result, infinitary descriptions are obtained even for simple, non-recursive, 
processes. For example, according to [16], the operational description of the null 
process 0 is the same as that of recX.a.{a | X), where a stands for any input 
action, a is its complementary output and rec is the recursion operator. Similarly, 
[5] presents a trace-based model that permits arbitrary “gaps” in traces to take 
into account any external influence on processes behaviour. 

Differently from [16], we build on the usual operational semantics of the 
language, which just describes what the process intentions are at any stage, and 
we take advantage of a preorder, between sequences of actions (traces). The 
intuition behind ^ is that whenever a trace s may lead to a successful interaction 
with the environment and s' ^ s, then s' may lead to success as well. It turns 
out that, when comparing two processes, only their “minimal” traces need to 
be taken into account. This leads to a model that assigns finite denotations to 
finite processes. More precisely, the interpretation of the may preorder ( C ) 

m 

suggested by the model is as follows: F ^ Q if, consuming the same messages, 
Q can produce at least the same messages as P. 

Building on the above mentioned preorder over traces, we provide a complete 
(in-)equational axiomatization for asynchronous CCS that relies on the laws: 
(Al) a.b.P^b.a.P and (A2) a.(a|F)CF. 

These two laws are specific to asynchronous testing and are not sound for the 
synchronous may preorder [11]. The completeness proof relies on the existence 
of canonical forms directly inspired by the finitary trace-based model. 

We develop both the model and the axiomatization first for asynchronous 
CCS, and then for asynchronous 7r-calculus. The simpler calculus is sufficient to 




A Theory of "May" Testing for Asynchronous Languages 167 



isolate the key issues of asynchrony. Indeed, both the trace interpretation and 
the axiomatization for 7r-calculus are dictated by those for CCS. 

The rest of the paper is organized as follows. Section 2 introduces asyn- 
chronous CCS and the may-testing preorder. Section 3 and 4 present a fully 
abstract trace-based interpretation of processes and a complete proof system 
for finite processes, respectively. In Section 5 the results of the previous sections 
are extended to 7r-calculus. The final section contains a few concluding remarks 
and a brief discussion of related work. 

2 Asynchronous CCS 

In this section we present syntax, operational and testing semantics of asyn- 
chronous CCS (ACCS, for short) [7]. It differs from standard CCS because only- 
guarded choices are used and output guards are not allowed. The absence of 
output guards “forces” asynchrony; it is not possible to define processes that 
causally depend on output actions. 

Syntax We let A, ranged over by a,b ,. . be an infinite set of names used to 
model input actions and 77 = {a \ a £ W}, ranged over by a,b ,.. ., be the set of 
CO names that model outputs. J7 and 77 are disjoint and are in bijection via the 
complementation function (”); we define: (o) = a. We let £ = W be the set 
of visible actions, and let 1,1',. . . range over it. We let = £ U {r}, where r is 
a distinct action, for the set of all actions or labels, ranged over by p. We shall 
use A, B,L,. . ., to range over subsets of £. We let X, ranged over by X, Y, . . ., 
be a countable set of process variables. 

Definition 1. The set of ACCS terms is generated by the grammar: 

E::=a \ | I ^2 \ E\L \ E{f} |X \recX.E 

where §i £ Mu {r}, and f : 77 ^ 77, called relabelling function, is injective and 
such that {I I f(l) ^ 1} is finite. We extend / to £ by letting /(a) = /(o). We 
let V, ranged over by P, Q, etc., denote the set of closed and guarded terms or 
processes (i.e. those terms where every occurrence of any agent variable X lies 
within the scope of some recX._ and YT, operators). 

In the sequel, -nffi-Ei will be abbreviated as gi-Ei -I- g-z-E-z, 

Yi^(-\\9i-Ei as gi-Ei and Yi^(h9i-Ei as 0; we will also write g for ^f.O. As 
usual, we write E[F/X] for the term obtained by replacing each free occurrence 
of X in E by F (with possible renaming of bound process variables). We write 
n(F) to denote the set of visible actions occurring in P. 



Operational Semantics The labelled transition system {V,Ct, -^) in Figure 
1 defines the operational semantics of the language. 

As usual, we use or to denote the reflexive and transitive closure 

of — ^ and use (resp. ) for =► — ^ =?=► (resp. ) when 
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s — Is'. Moreover, we write P =► for 3P' : P P' (P ^4 and P —4 will 
be used similarly). We will call language generated by P the set L{P) = {s G 
C* I p }. We say that a process P is stable if P-^ . 




May Semantics We are now ready to instantiate on ACCS the general frame- 
work of [11, 15] to obtain the may preorder and equivalence. In the sequel, 
observers, ranged over by O, are ACCS processes that can additionally perform 
a distinct success action ca. 

Definition 2. F C Q iff for every observer O, P\0 implies Q | O =4> . 

m 

We will use to denote the equivalence obtained as the kernel of the 
preorder C (i.e. =4 H C ). 

m mm 

Universal quantification on observers makes it difficult to work with the op- 
erational definition of the may preorder; an alternative characterization is on 
demand. In the synchronous case, this characterization is simply trace inclusion 
(see, e.g., [11, 15]). In [7], by taking advantage of a preorder over single traces, 
we proved that in case of asynchronous communication a weaker condition is 
required; we summarize these results below. 

Definition 3. Let ^ be the least preorder over C* preserved under trace com- 
position and satisfying the following laws 

TOl G <a T02 la ^ al T03 e ^ oa 

The intuition behind the the laws in Definition 3 is that, whenever a process 
interacts with its environment by performing a sequence of actions s, an inter- 
action is possible also if the process performs any .s' < s. To put it differently, if 
the environment offers s, then it also offers any s' s.t. s' < s. 

More specifically, law TOl {deletion) says that process inputs cannot be en- 
forced. For example, we have be ^ abc: if the environment offers the sequence 
abc, then it also offers be, as there can be no causal dependence of be upon the 
output a. Law T02 (postponement) says that observations of process inputs can 
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be delayed. For example, we have that bac < abc. Indeed, if the environment 
offers abc then it also offers bW. Finally, law T03 (annihilation) allows the envi- 
ronment to internally consume of complementary actions, e.g. b < mb. Indeed, 
if the environment offers aab it can internally consume a and a and offer b. 

Definition 4. For processes P and Q, we write P Q iff whenever P 
then there exists s' such that s' < s and Q • 

Theorems. For all processes P and Q, P ^ Q iff P Q. 

m 

One can easily prove that ^ is a pre-congruence; the proof relies on the 

m 

coincidence between ^ and (however, the case of parallel composition is 
best dealt with by relying on the definition of C ). 

m 

3 A Finitary Trace-based Model 

A fully abstract set-theoretic interpretation for C can be obtained by inter- 
preting each P as the set of traces [F]„ = {s | there is .s' e L(P) : s' A §} and 
then ordering interpretations by set inclusion. However, this naive interpreta- 
tion is not satisfactory, because it includes infinitely many traces even for finite 
processes; for instance, [OL = {^, a, da, ada, . . . ,b,bb, . . .}. 

To obtain a non-redundant interpretation, we shall “minimize” the language 
of a process F, L(P), w.r.t. the trace preorder A. In the sequel, we use [s] to 
denote the A-equivalence class of s, i.e. the set {s' ■■ s' < s and s A s'}. 

Definition 6. 

- Consider a set D of A-equivalence classes. We say that F is a denotation 
if whenever [s] , [s'] G D and s < s' then [s] = [s'] . We call V the set of all 
denotations. 

- I> is ordered by setting: Di < D 2 iff for each [s] G Di there is [s'] G D 2 
such that s' A s. 

In words, a denotation F is a set of A-equivalence classes which are minimal 
elements of F. 

Lemma?. (F, <) is a partial order. 

Definition 8. For each F, we interpret F as the denotation 
[FL — ^ { W : s G L(P) and for each s' G L(P) '■ s' < s implies [s] = [s'] } . 
Example 1. 

1. If F a.(o I b), we have L(P) = {e, a, oa, ab, adb, abd} and that e is minimal 
in L(P) (by T01-T03), hence [a.(d | b)L = PL = { H }• 
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2. If F = o I b.c, then L{P) = {e,a,ab,abc,b,ba,bac,bc,bm}. The 

set of ^-minimal traces of L(P) is {e,a,bc,abic,bm} and |F]„ = 

{[e]>[o]>[^c],[ate],[6ca]}. 

3. If F o I b.c and Q a.P, then |F]^ = {[€],\a],[bc],\abc],[bm]} and 
WL = { [e]. [ate], [aabc], [abca] }; hence [QL <1-^1™- 

Lemma 9. Let (7 be a non-empty set of ^-equivalence classes. Then C has 
minimal elements (w.r.t. the obvious ordering [s'] < [s] iff s' < s). 

Theorem 10. F £ Q if and only if |FJ^ < |Q]„ ™ 27. 

m 

Proof: We use the alternative characterization of C . Suppose that 

m 

P Q; we show that [FL < [Q]„ in 27, Let [s] G [F]„, with F . 

Then there is s' s.t. Q and s' < s. Choose now [so] which is minimal for the 
set {[s"] : s" G L(Q) and s" < s' }, and which exists by virtue of Lemma 9. By 
definition of [sq] G [Q]„, and moreover sq ^ s. The converse implication 
can be proven similarly. □ 

It is possible to give a “concrete” representation of equivalence classes. 

Proposition 11. Let Si = n > 0, be any trace, where, for 

1 < * £ a, m, (resp Mj) is a trace containing only inputs (resp. outputs). 
Suppose that S 2 ^ si and si < s-z- Then S 2 is of the form m'lMi 
where, for 1 < i < n, is a permutation of m,.. 

The above proposition allows one to consider equivalence classes of traces as 
sequences where multisets of input actions alternate with sequences of output 
actions. This model can be further optimized. For example, when defining 
it is possible to enrich the theory of < with a commutativity law for outputs 
(ab ^ 5o); this permits viewing sequences of outputs as multisets and yields 
smaller denotations of processes. For instance, the denotation of process F in 
Example 1 would reduce to {[e], [o], [he], [o6c]}. A similar optimization will be 
used in the definition of canonical traces, in the next section. 

4 A Proof System for ACCS 

In this section we define a proof system for ACCS and prove that it is sound 
and complete with respect to C for finite (without recursion) processes. 

m 

The proof system, that we call A, is based on the in-equational laws in Table 1 
plus the usual inference rules for refiexivity, transitivity and substitutivity in 
any context. We use G to range over guarded sums. Given two guarded sums 
C Qi'^i and G' = define G + G' as T^keruJ 9k-Pk- Each 

equation F = Q is an abbreviation for the pair of inequations F C Q and Q C F. 
We write F Q (F Q) to indicate that F C Q (F = Q) can be derived 
within the proof system A. 
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Table 1. Laws for ACCS 

Laws A1 and A2 differentiate asynchronous from synchronous may testing: 
they are not sound for the synchronous may preorder [11]. In particular, law 
A1 states that processes are insensitive to the arrival ordering of messages from 
the environment, while law A2 states that any execution of P that depends on 
the availability of a message a is worse than P itself, even if o is immediately 
re-issued. The other laws in Table 1 are sound also for the synchronous may 
testing [11]. The laws in Table 1 can be easily proven sound by taking advantage 
of the preorder <C„ . 

Let us now consider some derived laws, among which (Dl) a.P P and 
(D2) 0 o. Law D2 follows immediately from law T4. The inequality Dl can 
be derived by first noting that from D2 it follows F a, \ P, which implies 
a.P a.(o I F); now apply A2. In particular, we have that a 0. From 
0 F, for any F (a consequence of T4), and a.a a.(a | 0) 0 (law A2), 

we get a.a 0. 

For proving completeness of the proof system, we shall rely on the exis- 
tence of canonical forms for processes, which are unique up to associativity and 
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commutativity of summation and parallel composition and up to permutation of 
consecutive input actions. Uniqueness is a result of independent interest, because 
it leads to unique (and rather compact) representatives for equivalence classes 
of processes. The canonical form of a process will be obtained by minimizing its 
set of traces via a trace preorder, that extends < with a commutativity law for 
output actions. 

Definition 12. Let be the least preorder over traces induced by the laws 
TOl T03 plus law: (T04) ab < ba. 

Of course, ^ is included in ^|. 

Definition 13 (canonical forms). 

- Given a G Act*, the process t(a) is defined by induction on a as follows: 

t(e) 0, t(aa') a.t(a') and t(aa') a | t(a'). 

- Consider A Cfin JC*. We say that A is: 

♦ complete if whenever f (r) , for r G A, then there is a' G A s.t. a' s; 

♦ minimal if whenever a, a' G A and s' s then s' = s. 

^ A canonical form is a process of the form X)sea-{e} some A Cfin C* 

which is both complete and minimal. 

Note that a complete set of traces always contains the empty trace e. The 
proof of uniqueness of canonical forms can be decomposed into three simple 
lemmata. 

Lemma 14. If t{a) then t(a') C _4 t(s). 

Proof: The proof proceeds by induction on the length of s. The most interesting 
case is when s = osq, for some sq; hence t(a) = o|t(so). Then there are two cases 

for s': either f (sq) , and then the thesis follows from F o | F (by D2) and 
induction hypothesis, or s' = aap, with t(so) , for some traces a and p. In 
the latter case, we get from the induction hypothesis that t(ap) t(so); hence 
a I t(ap) a | t(so) = t(a); from repeated applications of P2) and T5, we get 
t(s') = t{aap) C_^ o I t{ap), and hence the thesis. □ 

Lemma 15. Let Ci r.t(s) and C 2 T.t{r) be canonical 

forms such that € 2 - Then for each s G A there is r G F such that r A| «. 

Proof: Let s G A. Then Ci , thus, since Ci C 2 , there is s' s.t. C '2 
and s' < a. This implies, by completeness of B, that there is r G F such that 
r A| s'. Since s' < a, we obtain that r a. □ 

We write Pi —ac P‘z if Pi —a -^2 can be derived using only the laws C2 C3, 
P2-P3 and Al. For the proof of the following lemma, just note that whenever 
Si and S ‘2 are A | -equivalent, then only laws T02 and T04 can be used to derive 
Si A I S ‘2 and S 2 A| si. 
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Lemma 16. If Si A| s-2 and s-2 «i then t(si) =ac t{s2)- 

Theorem 17 (uniqueness). Let Ci and C'2 be canonical forms such that 
C\ C2. Then C\ =ac C2. 

Proof: Suppose Ci = X)seu-{e}'^-^W prove 

that for each s e .4 there is r e 1? s.t. s <\r and r s, by which the result 
will follow by Lemma 16 and by symmetry. Suppose that s G A. Since C\ ^ C' 2 , 
by Lemma 15, we deduce that there is r G 1? s.t. r Ai s. But since C '2 £ Ci 

m 

as well, we deduce the existence of s' G A with s' r, hence s' r A| s. By 
minimality of A we deduce that s = s' r. □ 

def — 

Example 2. Consider P = r.(a | h.h) + T.b.(a \ b). To get the canonical form 
of F, we first compute the language of P and obtain the complete set 
{e,a,b,ab,ba,bb,abb,bab,bba}. Then we minimize, thus finding the minimal set 
{e,a}, which is also complete. Thus r.a is the canonical form of F. 

We proceed now to prove completeness of the proof system. 

Lemma 18 (absorption). If s' A| s then t(s) t(s'). 

Proof: We prove the thesis by induction on the number n of times the laws 
T01-T04 are used to derive s' A| s. The proof relies on the laws Dl, D2, A2 and 
P2. As an example, we analyze the base case (n= 1), when s' A| s is derived with 
one application of T03. This means that s' = aaap and s = ap, for some a and 
some traces a and p. Now, note that whenever s = S 1 S 2 then t{s) = t(si)[t(s 2 )], 
where the latter term is obtained by replacing the single occurrence of 0 in t(si) 
with t(s 2 ). Therefore, by congruence of and law A2, we get: 

t(s) = t(a)[a.(a | t(p))] t(a)[t(p)] = t(s') . □ 

Lemma 19. For each F there exists a canonical form C s.t. P C. 

Proof: By induction on F and using the laws in Table 1 it is easy to show that 
F is provably equivalent to some process C± — some set 

Ai . Consider now the following two facts: 

1. Whenever t{s) then t{s) T.t{s) + r.t(s'). 

2. Let A be a complete set. Suppose that there are s, s' G A s.t. s A| s' 

and s ^ s'. Then: (a) A ^ {s'} is complete, and (b) ~a 

X)rea-{e,s'} 

(1 is a consequence of Lemma 14; 2 derives from the definition of complete set 
and, for part (b), of Lemma 18 and law Cl). 

By repeatedly applying 1, we can ‘saturate’ Ai, thus proving C7i equivalent 
to a summation C '2 over a complete set A 2 . Then, by repeatedly applying 2, we 
can remove redundant traces in A2, thus proving C '2 equivalent to a summation 
over a complete and minimal set of traces. □ 
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Theorem 20 (completeness). For finite ACCS processes P and Q, F ^ Q 
implies P Q. 

Proof: Lemma 19 allows us to assume that both F and Q are in canonical 

form: F Esea-{e> Q EreR-{e} i® sufficient to show 

that for each s G .4 there is r G F s.t. t(s) t{r), by which the thesis will 
follows thanks to the law T4. But this fact follows by Lemmata 15 and 18. □ 

5 The TT-calculus 

In this section we discuss the extensions of our theory to the asynchronous 
variant of 7r-calculus [16, 8, 14, 1]. 



Syntax and semantics We assume existence of a countable set M of names 
ranged over hy a,h, . . . ,x, Processes are ranged over by F, Q and R. The syn- 

tax of asynchronous 7r-calculus contains the operators of inaction, output action, 
guarded summation, restriction, parallel composition, matching and replication: 

P ::=ab I y2n^r^i-Pi I naP I Fi I F> I [o = 61F I IP 

where a is an input action a{b) or a silent action t. We adopt for the sum 
operator the same shorthands as for ACCS. Free names and bound names of a 
process F, written fn(F), and bn(F) respectively, arise as expected; the names 
of F, written n(F) are fn(F) U bn(F). We shall consider processes up to a- 
equivalence. Thus a-equivalent processes have the same transitions and all bound 
names are always assumed to be different from each other and from the free 
names. The tilde will be used to denote tuples of names; when convenient, 
we shall regard a tuple simply as a set. We omit the definition of operational 
semantics (see e.g. [1]), but remind that labels on transitions (actions), ranged 
over by p, can be of four forms: r (interaction), ab (input at a of b), db (output 
at a of b) or d(b) (bound output at a of b). Functions bn(-), fn(-) and n(-) 
are extended to actions as expected: in particular, bn(^) — b if p — d(b) and 
bn(^) = 0 otherwise. 

The definition of the may preorder over the 7r-calculus, C ^ is formally the 
same as for ACCS. Due to the presence of matching (see e.g. [1]), ^ is not 

m 

preserved by input prefix. 



The trace preorder We extend the operational semantics of the 7r-calculus 

with the following rule: if F F' and b ^ fn(F) then F F'. The new 
kind of action a(b) is called bound input; we extend bn(-) to bound inputs by 
letting bn(o(6)) = {b}. Below, we shall use to denote the set of all visible 
(non-r) actions, including bound inputs, and let $ range over it. Given a trace 
s G FJ, we say that s is normal if, whenever s — s'M.s" (the dot . stands 
for trace composition), for some s', Q and s" , then bn(0) does not occur in s' 
and bn(0) is different from any other bound name occurring in s" . Functions 




A Theory of "May" Testing for Asynchronous Languages 175 



bn(-) and fn(-) are extended to normal traces as expected. We consider normal 
traces up to a-equivalence. The set of normal traces over is denoted by T 
and ranged over by s. From now on, we shall work with normal traces only. A 
complementation function on T is defined by setting a{b) = a{b), ab = ab, 
ab ab and a(b) a(b); note that s — s. 



PI s..s' ■< s.O.s' if 9 is an input action and bn(0) (1 n(s') = 0 

P2 S.9' .9..S ■< s.9.9' s' if 9 is an input action and bn(0) (1 il(9') = 0 

P3 s.s' < s.9.ab.s' it 9 — ab or (9 — a{b) and b ^ n(s')) 

P4 s.ac.(s'{< 7 ^}) < s.a(b).s' 



Fig. 2. Trace ordering laws over T. 

The presence of bound names requires a slightly different definition of the 
trace preorder A, which is given below. 

Definition 21. Let Aq the least binary relation induced by the laws in Figure 2: 
A is the reflexive and transitive closure of Aq. 

Rules PI, P2, P3 are the natural extensions to asynchronous tr-calculus of 
the rules for ACCS. Here, some extra attention has to be paid to bound names: 
an output action declaring a new name (bound output) cannot be postponed 
after those actions that use that name. As an example, action a(b) cannot be 
postponed after b(c), in any execution of the observer vb{ab | b{c).0). Accord- 
ingly, in the observed process, an input action receiving the new name, a(b), 
cannot be postponed after output actions at b. 

Rule P4 is specific to 7r-calculus, and is linked to the impossibility for ob- 
servers to fully discriminate between free and bound outputs. Informally, rule 
P4 states that if a bound (hence new) name is “acceptable” for an observer, then 
any public name is acceptable as well. Rule P4 would disappear if we extended 
the language with the mismatch {[a 7^ b]P) operator, considered e.g. in [6], which 
permits a full discrimination between free and bound outputs. 

The definition of for the 7r-calculus relies on the trace preorder < and 
remains formally unchanged w.r.t. ACCS. In [7], we prove that and C 
coincide for the 7r-calculus. All the results obtained for ACCS about the trace- 
based model carry over smoothly to the 7r-calculus. 



The proof system A sound and complete proof system for C over the finite 

m 

(without replication) part of the language can be obtained by “translating” the 
proof system for ACCS into 7r-calculus, and then adding four new laws, as done 
in Table 2. II replaces the substitutivity rule for input prefix. Ml and M2 are 
concerned with matching, and SI is related to the law P4 for A. 

We write F Q if the inequality F C Q is derivable within the system of 
Table 2. Soundness of the system is straightforward. Completeness requires an 




176 



Michele Boreale et al. 



11 


if for each b £ fn(P, Q) P{^fx} C Q{^fx} then a{x).P C 


a{x).Q 


Ml 


[a = 6]P = 0 




a ^b 


M2 


[a — a]P — P 






Cl 


G + G^G 






PI 


P|0 = P 






P2 


P|Q = Q|P 






P3 


P|(Q|P) = (P|Q)|P 






EXP 


Let G = ^ 


a'j.Pj; where each 






a, (resp. a)) does not bind free names of G' (resp. G). 


Then: 






,.(G 1 pi) 




HI 


= E^e/An(aOnT=0 


ai.{ub)Pi 




H2 


{vh){P\Q) = P\{vh)Q 




b n n(P) = 0 


H3 


{ua){ab 1 a.P) = a.{ua){ah \ P) 




a ^ n(a) 


H4 


{ua){ab 1 a(c).P) = {u a){P{b/c}) 






T1 








T2 


Eie/ = Eie/ 






T3 


P^T.P 






T4 


GQG + G' 






T5 


a{c).(hd 1 P) C M 1 a{c).P 




c ^ b, c ^ d 


T6 


P(b/c} C db 1 a(c).P 






Al 


a{c).b{d).P C b{d).a{c).P 




c ^ b, c ^ d 


A2 


a{c).{ac 1 P) C P 




c ^ n(P) 


SI 


(i/c)P C P{b/c} 







Table 2. Laws for the asynchronous 7r-calculus 



appropriate definition of canonical form. This implies extending < via commu- 
tativity for output actions. 

Definition 22. Let be the trace preorder over T induced by laws P1-P4 plus 
the laws: 

- (P5) s.B.B' .s' < s.B'.B.s' if bn(0) nfn(0') = 0 and bn(0') nfn(0) = 0; 

- (P6) s.a(b).cb.s' < s'.c(b).ab.s if b. 

Definition 23 (canonical forms) . Let s be a normal trace. The process t(s) 
is defined by induction on s as follows: t(e) 0 , t(a(b).s') | t(s')), 

t{ab.s') ab\t{s'), t{a{c).8') =^a(c).t(s') and t{ab.s') =^o(x).[a:: = b]t{s') {x 
fresh) . 
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Modulo the new definitions of t(s) and of A|, the definitions of complete set, of 
minimal set and of canonical form remain formally as in Definition 13. 

Lemma24. If f(s) then f(s') t{a). 

Proof: The proof parallels that of Lemma 14. We analyze only the case when 
8 — a{b).so, hence t(s) = vb{ab\ t(so))- There are four possible cases for s' 
depending on how the execution of actions in t(so) and action ab are interleaved. 

1. t(so) (action ab is not fired at all); 

2. s' = a.a'(b).p and t(so) ; 

3. s' = a.a(b).p and t(so) ; 

4. s' — ai.a'{b).a‘z.ab.p and t{so) _ 

For case 1, the thesis follows from induction hypothesis. We analyze now case 
4, because 2 and 3 are easier. By induction hypothesis, t(ai.a'b.a 2 -p) t(so), 
hence , „ 

/ = vb(ab\t(ai.a'b.a 2 -p)) E, vb{ab\t(so)) = t{s). 

On the other hand, by repeatedly applying T5 and P2, we can push ab rightward 
inside T and get v bt{ai.a'b.a 2 -ab.p) T. Finally, since b ^ n((7i), we can push 
12 b rightward (using HI and H2) until it reaches a'b, to get t{s') T, and the 
thesis. □ 

Lemma 25. If s' A| s then t{s) f(*0- 

Proof: The thesis is proven by induction on the number n of times the laws PI 
P6 are used to derive s' A| s. As an example, we analyze the base case (n= 1), 
when s' A| s is derived with one application of P3. In particular, consider the 
case s' = a.ab.ab.p and s = ap, for some o, b and some traces a and p. For any 
P and fresh x, we have that a{x).[x = 6](a6 | P) a(x).(ax | F) (use rule II 
and laws Ml and M2). This inequality can be proven under any substitution a for 
the names in fn(F) U {a, b}, hence under any context. From this and A2, we get: 

t(s) = t{a)[a{x).[x = b]{ab \ t(p))] t(a)[a(x).(ax | t{p))] = t(s') ■ 

a 

The proof of uniqueness of canonical forms remains essentially unchanged. 
The proof of existence of provably equivalent canonical forms requires the fol- 
lowing derived laws: 

(1) a(y).[b — c]P T.[b — c]a(y).P -T T.a(y) if ^ and 

( 2 ) a(b).[b = c]P a(b).[b = c]P{<^/b}. 

These are used to accommodate matching, when initially proving that F is 
equivalent to a summation of t(s)’s; then, the proof proceeds formally unchanged. 
Given the existence and the uniqueness of canonical forms, the actual proof of 
completeness remains essentially unchanged. 

Theorem 26 (completeness). For finite 7r-calculus processes F and Q, 
F C Q implies F Q. 
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6 Conclusions and Related Works 

In this paper, we have studied a may testing semantics for two asynchronous 
variants of CCS and 7r-calculus. For both calculi we have proposed a finitary 
trace-based interpretation of processes and a complete inequational proof sys- 
tem. 

Recently, there have been various proposals of models of asynchronous pro- 
cesses. Two main approaches have been followed to this purpose. They differ in 
the way (non-blocking) output actions are modelled. The asynchronous variants 
of ACP [4], CSP [17] and LOTOS [21] introduce external buffers in correspon- 
dence of output channels. This makes outputs non-blocking and immediately ex- 
ecutable, while preserving the orderings between different output actions. Within 
the same group we can place the work on the actors foundation [3] . Differently, 
the asynchronous variants of 7r-calculus [16, 8, 14, 1] and CCS [20, 12, 9] model 
output prefix a.P as a parallel composition o| F, i.e. output actions are indepen- 
dent processes. The communication medium is rendered as a bag of messages, 
which is directly represented within the syntax as a parallel composition of out- 
put actions. 

In the past, all these formalisms have been equipped with observational se- 
mantics based on bisimulation or failures, but very few denotational or equa- 
tional characterizations have been studied. A notable exception is the work by 
de Boer, Palamidessi and their collaborators. On one hand, in [5], they propose 
a trace-based model for a variant of failure semantics, on the other, in [4] , they 
provide axiomatizations that rely on state operators and explicitly model evo- 
lution of buffers. Other studies deal with languages that fall in the first group 
of asynchronous formalisms and propose set of laws that help to understand 
the proposed semantics, but do not offer complete axiomatizations [21, 3]. For 
those languages that model outputs by means of processes creation, the only 
paper that presents an axiomatization is [1]. There, a complete axiomatization 
of strong bisimilarity for asynchronous 7r-calculus is proposed, but the problem 
of axiomatizing weak (r-forgetful) variants of the equivalence is left open. 

A paper closely related to ours is the recent [10] . There, for a variant of asyn- 
chronous CCS, the authors present a complete axiomatization of must testing 
semantics, which is more appropriate for reasoning about liveness properties. 
No finitary model is presented and the problem of extending the results to the 
asynchronous 7r-calculus is left open. 

Acknowledgments. Five anonymous referees provided valuable suggestions; 
Istituto di Elaborazione dell’Informazione in Pisa made our collaboration possi- 
ble. 
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Abstract. Unification in logic programming deals with tree-like data 
represented by terms. Some applications, including deductive databases, 
require handling more complex values, for example finite sets or bags (fi- 
nite multisets) . We extend unification to the combined domain of bags, 
sets and trees in which bags and sets are generated by constructors sim- 
ilar to the list constructor. Our unification algorithm is presented as 
a nondeterministic polynomial-time algorithm that solves equality con- 
straints in the spirit of the Martelli and Montanari algorithm. 

1 Introduction 

Logic programming languages deal with tree-like data represented by terms. 
Some applications require to handle other kinds of data such as finite sets or 
bags (finite multisets). For example, this problem arises in databases: relational 
query languages typically deal with tuples of atomic values and extension to 
more complex values is required. Various kinds of complex values in databases 
and logic programming have been considered in many papers, including [2, 3, 31, 
16, 46, 43, 32, 15, 1, 27, 26, 22, 20, 48]. 

In this paper we extend unification, the core mechanism of logic program- 
ming, to handle bags and sets. When bags and sets are represented with us- 
ing the union operations, bag and set unification is a particular case of ACl- 
and ACIl-unification, which has been extensively studied [44,25,24,10,33,18]. 
Recently, a number of unification algorithms have been introduced for various 
domains of bags and sets built with the bag and set constructors similar to the 
list constructor used in functional and logic programming [21,22,45,9]. 

We contribute to this area by introducing a new unification algorithm for 
the combined domain of bags, sets and trees. The main novelty of our algorithm 
is that it is a nondeterministic polynomial-time algorithm. The algorithm is 
formalized as a nondeterministic algorithm that solves systems of equations in 
the spirit of the Martelli and Montanari unification algorithm [38], i.e. it uses 
a collection of rules that transform systems into equivalent ones. The algorithm 
is don’t-care nondeterministic with respect to the choice of applicable rules. 
Nondeterministic branches lead to unifiers represented by systems in solved form 
(triangle form). These unifiers form a complete set of unifiers of the input system, 
its cardinality is at most where n is the input size. Thus, we obtain a 

W. Thomas (Ed.): FOSSACS’99, LNCS 1578, pp. 180-196, 1999. 
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single-exponential upper bound on the cardinality of a minimal complete set of 
unifiers in our domain (cf. a double-exponential lower bound for AC unification 
in the domain with the bag union [30]). 

The paper is organized as follows. In Section 2 we extend the Herbrand 
universe by adding terms that represent bags and sets. Thus, the extended do- 
main (denoted by contains bags, sets and trees. Values in this domain 

are untyped, for example one can construct a bag whose members are sets and 
trees. The semantics of logic programs over is defined in Section 2 too. 
We show that logic programming over 7111^ is powerful enough to represent all 
computable predicates on this domain. 

Section 3 is the main section of this paper. It contains a description of our 
algorithm and theorems asserting that the algorithm is sound, complete and runs 
in nondeterministic polynomial time. Since NP-hardness is proved easily [28] , we 
obtain that unification over is NP-complete. It follows from these theorems 
that the algorithm yields complete sets of unifiers and their cardinalities are at 
most This bound is tight. In this section we also describe a number of 

important special cases in which our algorithm is optimal, i.e. it gives minimal 
complete sets of unifiers. Due to space reasons, we do not include proofs in this 
paper, they can be found in our technical report [19]. Also, this report contains 
many examples that illustrate the algorithm as well as some related notions. 

In Section 4 we briefly sketch some related results and directions of further re- 
search. In particular, we discuss bag and set unification in the context of AC and 
ACI unification. We also compare our algorithm with other known algorithms. 
Some extensions and applications of our results are discussed too. 

There are several aspects of handling complex values that are beyond the 
scope of this paper. We do not consider the introduction of the object structure 
on T-LU^ and we do not discuss questions like object identity. We do not consider 
semantics of negation. Our algorithm can be optimized in some ways but we do 
not discuss such optimizations here. 



2 The combined domain of bags, sets and trees 

There are several possibilities to define data models that deal with bags, finite 
sets and trees. In this section we choose a particular data model, some variations 
are considered in [19]. For brevity we say “set” instead of “finite set” in the 
context of this data model. “Bag” is a synonym for “finite multiset” . 

The Herbrand universe with bags and sets. We extend the Herbrand 
universe by adding the bag and set constructors. The definition is parametrized 
by a set 7F of function symbols. As usual, symbols in IF have non-negative arities. 
Constants are function symbols of arity 0. Intuitively, constants represent atomic 
values, like integers or strings. Function symbols of arity > 1 are viewed as tree 
constructors that are used to construct complex values from existing ones. 

More precisely, given a set IF of function symbols, the Herbrand universe with 
bags and sets, denoted HU^ , is defined inductively as follows. 
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1. Any constant in T belongs to T-LU^ . These constants are called atomic values. 

2. If vi, . . . ,Vn £ 'HU'^ , where n > 0, then the bag consisting of ,v„ 

belongs to T-LU^ . This bag is denoted by {Jui, . . . , u„|} and called a bag value. 

3. If ui,... G where n > Q, then the set {vi,... ,u„} belongs to 

'HU^. This set is called a set value. 

4. If f e fF has arity n > 1 and ui,... ,u„ G then the expression 

f(vi,... ,Vn) belongs to 7111^. This expression represents the tree whose 
root has n children; the root is labeled by / and the children are Ui, . . . , 
The expression f(vi,... , u„) is called a tree value. 

Thus, TiU^ consists of untyped values. For example, the set {-{]1, ![}, {2}, 3, /(4)} 
contains a bag, a set, an atomic value and a tree. 

Equality on T~LU^ is defined inductively as follows. 

1. Two atomic values are equal if they coincide. 

2. Bag values {|ui, . . . , «„.[} and {|ui, . . . , u„[} are equal if m = n and there is 
a permutation p of the sequence 1, . . . ,m such that Uj is equal to Vp(i) for 
all i. 

3. Set values {ui,... ,«m} and {vi,... ,u„} are equal if each u, is equal to 
some Vj, and vice versa, each Vj is equal to some Uj. 

4. Tree values /(ui, . . . , and g(vi, . . . , v„) are equal if / coincides with g 
and Ui is equal to Vi for all i. 

5. No other equalities hold on 

Terms and their sorts. In order to represent elements of WJ^ , we introduce 
the corresponding notion of a term. We assume that {|[} and {} are two constants 
foreign to fF. They represent the empty bag and the empty set respectively. Two 
binary function symbols •{] | [} and { | } are assumed to be foreign to T too. 
They are used to construct bags and sets. Namely, if a term s represents an 
arbitrary element of TiU^ and a term t represents a bag then the term {|s 1 1|} 
represents the bag formed by appending the element corresponding to s to the 
bag corresponding to t. Similarly, a term {s\t} represents the set formed by 
adding the element represented by s to the set represented by t. 

All terms will be divided into three sorts: sort of bags b, sort of sets s and 
the universal sort u. We assume that there are three kinds of variables called bag 
variables, set variables and universal variables. Terms and their sorts are defined 
as follows. 

1. A bag variable is a term of sort b. A set variable is a term of sort 0 . A 
universal variable is a term of sort u. 

2. The constant -{]|} is a term of sort b. The constant {} is a term of sort 0 . Any 
constant in is a term of sort u. 

3. If s is an arbitrary term and t is a term of sort b then {|s 1 1|} is a term of sort 
b. If s is an arbitrary term and f is a term of sort 0 then {s 1 1} is a term of 
sort 0 . Any expression of the form f(t±, ... , t„), where f £ T and t\,. . . ,t„ 
are arbitrary terms, is a term of sort u. 

4. No other terms can be formed. 
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We also introduce the partial order C on the terms. For any terms s, t, we 
write s C t if s and t have the same sort or t is of sort u. 

Equations and solntions. A mapping ly from the set of all variables to 
is called a valuation if n maps every bag variable to a bag value and every set 
variable to a set value. Universal variables can be mapped to any values. We 
extend valuations from variables to terms as follows. Let be a valuation and r 
be a non-variable term. The value i^(r) is defined inductively: 

1. I'd ] [}) is the bag value •{] [}. If r is •{]« 1 1[} and I'd) is a bag value -{Jui , . . . , u„|}) 
then I'd) is the bag value •Qi'(s), v±, . . . , u„[}. 

2. ;/({}) is the set value {}. If r is {s 1 1} and I'd) is a set value {vi,. . . ,u„}, 
then I'd) is the set value {I'd), vi,. . . , u„}. 

3. If r is /(ui, . . . , v„), where n >0, then I'd) is fddi), ■ ■ ■ , ^dn))- 

By this definition, the value I'd) for a ground term r remains the same for all 
V. Hence, elements of 'HU'^ can be alternatively defined as equivalence classes of 
ground terms by the equality relation. 

By an equation we mean any expression s = t, where s, t are terms. A solution 
to an equation is a valuation n such that I'd) is equal to I'd)- A finite set of 
equations is also called a system (of equations) or an equality eonstraint. A 
valuation is a solution to a system if is a solution to every equation in the 
system. We fix some system that has no solution and denote this system by X. 



Logic programs over and their semantics. The notion of a Horn 

elause is defined as usual. We assume that atoms in Horn clauses are not equali- 
ties. A logie program over is a finite set of Horn clauses. A Herhrand model 
of a logie program L over 'Kid is any model SDt of L such that (i) the carrier 
set of sot is Kid and (ii) each ground term is interpreted in SDt by itself. As 
usual, a Herbrand model can be identified with the set of ground atoms true 
in this model. Thus we can redefine a Herbrand model SDt as a set of ground 
non-equality atoms (meaning the set of ground non-equality atoms true in SDt). 

For two Herbrand models SDti and SDt‘ 2 , we write SDti C SDt 2 if the set of all 
ground atoms true in SDti is a subset of all ground atoms true in SDt 2 . It is not 
difficult to prove that any logic program over Kid has the least Herbrand model 
(with respect to C). This statement is basically a straightforward generalization 
of the standard facts of logic programming theory [35,8]. 

We say that a logic program L over 'Kid defines a relation R. on KU^ if for 
some predicate P in L, the predicate P is interpreted as R, in the least Herbrand 
model of L. 

There are several ways of defining a procedural semantics of logic programs 
over KU^. The standard way is to modify SLD-resolution, namely, instead of 
SLD-resolution using substitutions, we can use constraint SLD-resolution de- 
fined similar to [36,37]. In particular, constraint SLD-resolution over KU^ uses 
unification over KU^ , i.e. solving equality constraints over KU^ . 
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Logic programs and computability on T-LU^ . Since elements of T-LU^ can 
be obviously represented as strings of symbols, we can speak of computable (aka 
recursively enumerable) relations on . The following theorem shows that 
our constructors are enough to represent any computable relation on 'HU^ . 

Theorem 1. A relation R onRU^ is recursively enumerable if and only if there 
exists a logic program L that defines R. 

The proof can be easily obtained by adapting the proof of [49] or other similar 
proofs (e.g., [6]). 

3 Unification algorithm 

In this section we introduce a unification algorithm for %U^ . The algorithm is 
presented as a nondeterministic algorithm that transforms an input system of 
equations into an output system in solved form (defined below). The work of the 
algorithm is based on repeated applications of transformation rules. The output 
systems (all nondeterministic results) are equivalent to the input systems in the 
sense described in Theorem 3. 

3.1 Some definitions and notation 

Notation for bags and sets. Like the logic programming notation for lists, 
we write {|si , . . . , | f [} and {|si , . . . , s„|} for terms -{]si | ... {|s„ | f [} . . . [} and 

•Qsi I ■ ■ ■ {|sn !•{][}[}■■■[} respectively, and similar for sets. Letters x, y, z, u, v, w 
with or without indices are used to denote variables. Capital letters X, Y,. . . 
(possibly with indices) stand for sequences of variables. For example, if X and 
Y stand for xi, . . . ,Xk and |/i, . . . ,ym respectively then {X, Y | u} and {X, T} 
denote {xi,... ,Xk,yi,... ,t/„.|u} and {x\,... ,Xk,yi,... ,ym}- When we use 
notation {|X | s[} and {X | s}, where s is a variable, we assume that X is non- 
empty. The length of a sequence X, i.e. the number of its members, is denoted 
by |A"|. If X and Y are xi,. . . , and |/i, . . . ,yn respectively, X — Y stands for 
Xi —yi, . . . , Xn — yn- Sometimes, we shall use capital letters joined by the set 
union U, for example X UY. In this case, we mean by such an expression the 
sequence obtained by appending the sequence Y to the sequence X and removing 
duplicates. For example, if X is x, x, y and Y is y, y, z then X UY denotes the 
sequence x,y,z. 

Reduction using x — y. Let x and y be variables appearing in a system S. 
The following transformation of S is called reduction using x — y. First, remove 
X — y and y — x {if any) from S. Then do the following: 

1. If ar and y are the same variable, do nothing. 

2. Otherwise, if one of x, y is of sort b and the other is of sort 0 , transform S 
into X. 

3. Otherwise, if y X ar, replace x by y in all equations in S and add x — y to S. 

4. Otherwise (in this case x Qy), replace y by x in all equations in S and add 
y — X to S. 
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Isolated equations. Let S be a system containing an equation x = t. This 
equation is called isolated in S if (i) t C x and (ii) x has exactly one occurrence 
in S (namely, the occurrence in the left-hand side of x =t). Note that if x = ?/ 
belongs to S and is not isolated in S, then reduction using x — y changes x —y 
to an isolated equation x = y or y = x. 

Simple equations. We define a bag equation as an equation x — -{]F | z[}, where 
X and z are bag variables and Y is a sequence of variables. Similarly, x — {Y \ z}, 
where x and z are set variables and Y is a sequence of variables, is called a set 
equation. We define a simple equation as any of the following equations: (i) a bag 
equation, (ii) a set equation, (iii) an equation x — f{xi, . . . ,ar„), where n > 0 
and x,xi,. . . ,x„ are variables. 

Systems without duplication. Let 5 be a system consisting of only simple 
or isolated equations. We call S a system of simple or isolated equations without 
duplication if S contains no pair of equations x = t and y = t such that t is not 
a variable. 

Lemma 1. Any system S can be transformed in polynomial time to a system 
S' that satisfies the following conditions: 

1. S' is a system of simple or isolated equations without duplication. 

2. Any solution to S' is also a solution to S. 

3. For any solution v to S, there is a solution u' to S' .such that u and u' 
coincide on all variables of S. 

Proof We shall only sketch the transformation. 

1. Get rid of non- variable terms in left sides of equations by introducing new 
variables. An equation s — tis replaced by two equations x — s and x — t, where 
X is a new universal variable. 

2. Variable abstraction. Get rid of non-simple equations x = t, where t is 
not a variable, by introducing new variables. For example, the equation x — 
{{}, f(a),b} is replaced by five equations x — {y,z,v\y}, y — z — f(u), 
u — a and v — b, where z,u,v are new universal variables, y is a new set 
variable. 

3. To get rid of duplications, for any pair of equations x — t and y — t remove 
X = t and apply reduction using x = y. 

4. Now every non-simple equation is an equation between two variables x = y. 
If this equation is not isolated, apply reduction using x — y. 

From now on we deal only with systems of simple or isolated equations with- 
out duplication. 

Graphs associated with systems. To describe the algorithm, we associate 
with any system S a directed graph denoted by Qs and called the graph of S. 
The nodes of this graph are all bag and set variables occurring in S. If S contains 
a bag equation x — ^Y | z|} or a set equation x — {Y \ z}, then the graph Qg 
contains an edge from x to z labeled by Y. 
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Final variables. A bag variable x is said to be final in S if Gs contains no edge 
coming from x. A set variable x is called final in S if whenever Gs contains a 
path from x to another node y, it also contains a path from y to x. 

Bag and set cycles. We define a bag cycle as a bag equation x — -{]F |x[} or 
a sequence of bag equations 

Xi = I X2[}, X2 = {\Y2 I X 3 O-, • • • , Xrn = Pm I X± [}, 

where m > 2 and xi,... ,Xm are pairwise different variables. A set cycle is 
defined similarly. 

Bag and set extensions. Assume that a system S contains a sequence of bag 
equations 



yi = -QAA I I/2I}, 1/2 = -QAA I I/3D-, . . . , I/m. = {|Am I !/m.+l|} 

where m > 1 and ym+i is a final variable. We say that the bag equation 

2/1 — {I Al ) . ■ ■ ) Am I |/m+l 1} 

is an extension of the equation yi — -{]Xi | y2%. 

Similarly, if S contains a sequence of set equations 

yi = {Al 1 1/2}, 1/2 = {A-2 I 1/3}, . . . , I/m = {Am I l/m+l }, 

where m > 1 and |/m+i is a final variable, then an extension of the set equation 
yi — {Xi 1 1/2} is defined as the equation 

1/1 = {Al U . . . U X^fi I Hm+l }• 

Note that if a bag equation has no extension then S has a bag cycle. Every 
set equation has an extension. 

Reduction using X — Y. Let A and Y be sequences xi,. . . , and yi, - ■ ■ iljn 
of variables respectively. Informally, reduction using X — Y is successive reduc- 
tions using xi — yi, . . . ,Xn — yn- More precisely, denote the system S by So and 
denote the system {X = F} by Eq- Define Si and Ei for 1 < / < n as follows. 
Let u = V he any equation in Ei^i . Then S, is obtained from Sj_i by reduction 
using u — v and Ei is obtained from Ei^i by reduction using u — v and remov- 
ing u = V or V = u. Reduction using X = Y is defined as the transformation 
replacing S by S„. 

Correspondences between seqnences. Let X and Y be sequences of vari- 
ables. We define correspondences between X and Y, namely correspondences of 
two kinds called bag correspondences and set correspondences. A bag correspon- 
dence between X and Y is defined as an equivalence relation on X U F such that 
for every equivalence class R, the variables of R, satisfy the following condition: 
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The total number of their occurrences in X is equal to the total number of 

their occurrences in Y. 

For example, let X and Y be x, x, y, z and x, y, y, u respectively. Then there 
are three bag correspondences between X and Y. The first consists of two equiv- 
alence classes {x, y} and {u, z}, the second consists of {x, u} and {y, z}, and the 
third consists of one class {x,y,z,u}. Obviously, there exists a bag correspon- 
dence between X and Y if and only if X and Y have the same length. 

A bag correspondence is called minimal if no equivalence class can be split 
into proper disjoint subsets such that the resulting equivalence relation remains a 
bag correspondence. In the above example, the first and second correspondences 
are minimal and the third one is not minimal. Note that the minimality can be 
checked in polynomial time by reducing this problem to the unary version of 
the knapsack problem, i.e. the version in which weights and values are given 
in unary notation (see e.g. [41]). Details of the reduction will be given in a full 
version of the paper. 

A set correspondence between X and Y is an equivalence relation on X U Y 
such that for every equivalence class R, we have 

R contains at least one variable of X and at least one variable of Y. 

Like the case of bag correspondences, a set correspondence is called minimal if no 
equivalence class can be split into proper disjoint subsets such that the resulting 
equivalence relation remains a set correspondence. In this case, it means that 
each equivalence class contains either exactly one variable of X or exactly one 
variable of Y . 

For example, let X and Y be x,x,y,z and x,u,v,w respectively. Then the 
equivalence relation consisting of classes {x,u}, {y,v} and {z,w} is a minimal 
set correspondence between X and Y. The relation consisting of {x,y,u} and 
{z,v,w} is a set correspondence but it is not minimal. 

Let E be any set of equations ar, = t/y where ar, is in X and yj is in Y. By 
we denote the smallest equivalence relation on X U Y containing all pairs (x, y) 
such that (x — y) E E. We say that E is a (minimal) bag or set correspondence 
between X and Y if such is ^e- For example, the set {x — u,y — v, z — w} is a 
minimal set correspondence between X and Y that denote x, x, y, z and x, u, v, w 
respectively. 



3.2 Rules 

Rule 1 (Tree Decomposition). This rule can be applied to a system S if S 
contains two distinct equations z = f{xi ,■■■ , ar„) and z = f(yi , . . . , |/„)j where 
f £ IF and n>0. Remove the equation z = f(xi, ■ ■ ■ , ar„) from S and reduce S 
using xi — yi, ... ,x„^ — y^. (This rule is close to the term decomposition rule 
of [38]). 
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Rule 2 (Bag Decomposition). The rule can be applied to a system S if the 
system contains bag equations z = s and z = t, where s and t are different. If 
at least one of z = s and z = t has no extension then transform S into ± (the 
system contains a bag cycle). Otherwise, choose any extensions of z = s and 
z = t. Remove z = s and z =t from S and consider two possible cases. 

1. The extensions have the forms z — {|X | u|} and z — (JF |u|}. If |X| 7^ |F| 
then transform S into X. Otherwise, add to S the equation z — (JF | u[}. 
Don’t-know nondeterministically generate a minimal bag correspondence E 
between X and F and reduce S using E. 

2. The extensions have the forms z = (JX | u[} and z = (JF | u[}, where the 
variables u and v are different. Don’t-know nondeterministically divide X 
into disjoint parts Xi and X2 (one of them may be empty). Similarly, Don’t- 
know nondeterministically divide F into Fi and F2. Informal comment: Xi 
and Fi are intended to coincide as bags, X2 and F2 are intended to have no 
common elements. The division is required to satisfy the following conditions. 
First, the parts Xi and Fi have the same length, i.e. \Xi \ = |Fi|. Second, 
X2 and F2 contain no common variables. Then S is transformed as follows. 

(a) Add the equation z = -{]X2, Fi , F2 | w|}, where w is a new bag variable. 

(b) If X2 is non-empty, add the equation v = -{]X2 | w[}. Otherwise, reduce 
S using V — w. 

(c) If F2 is non-empty, add the equation u= {]F2 | w[}. Otherwise, reduce S 
using u = w. 

(d) If Xi and Fi are non-empty, don’t-know nondeterministically generate a 
minimal bag correspondence E between Xi and Fi. Reduce S using E. 

Rule 3 (Set Decomposition). The rule can be applied to a system S if the 
system contains set equations z — s and z — t, where s and t are different. If z 
is a final variable, do the following. Suppose that s is {X | u} and t is {F | u}. 
Replace z — s and z — thy the equation z = {X UY \z} and reduce the system 
using z — u, z — V. Otherwise, choose any extensions of z = s and z — t. Remove 
z = s and z = t from S and consider two possible cases. 

1. The extensions have the forms z = {X | u} and z = {Y\ u}. Don’t-know 
nondeterministically divide X into disjoint parts Xi and X2- Similarly, divide 
F into Yi and F2. Informally: Xi and Yi coincide as sets, X2 and F2 have no 
common members. If one of the parts Xi and Fi is empty then the other is 
required to be empty too. In addition, like the case of bags, X2 and F2 are 
required to contain no common variables. Consider two cases. 

(a) Both A"i and Fi are empty. Add the equation u — {X2 U F2 | u} and 
reduce S using z — u. 

(b) Both Ai and Fi are non-empty. Don’t-know nondeterministically gener- 
ate a minimal set correspondence E between X± and Y± . Then transform 
S as follows. 

i. Add the equation z = {Fi | u}. 

ii. If at least one of X2 and F2 is non-empty, add u — {X2 U F2 | u}. 
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iii. Reduce S using E. 

2 . The extensions have the forms z — {X | u} and z — {Y \ u}, where the vari- 
ables u and V are different. Don’t-know nondeterministically divide X into 
disjoint parts Xi and X2 and divide Y into li and I2. As above, the division 
is required to satisfy the following conditions. First, if one of the parts A"i 
and li is empty then the other is empty too. Second, X2 and I2 contain no 
common variables. Consider two cases. 

(a) Both and Yi are empty. Add the equations z = {X2 U i2 | w}, u — 
{Y2 I w} and V — {X2 | w}, where w is a new variable. 

(b) Both and Yi are non-empty. Transform S as follows. 

i. Add equation z = {X2 U Yi U I2 | w}, where w is a new set variable. 

ii. If X2 is non-empty, add the equation v — {X2 | w}. Otherwise reduce 
S using V — w. 

iii. If I2 is non-empty, add the equation u = {I2 | w}- Otherwise reduce 
S using u = w. 

iv. Don’t-know nondeterministically generate a minimal set correspon- 
dence E between A"i and Ti and reduce S using E. 

Rule 4 (Function Failure). If S contains equations x — f{x\,... ,Xm) and 
X = giyi, . . . ,yn) where m,n > 0 and / and g are distinct function symbols, 
transform S into X. 

Rule 5 (Type Failure). If the system S contains an equation x — t such that 
t %x, transform S into X. 



3.3 Algorithms 

Solved form. A system S of equations is said to be in solved form if no rule is 
applicable to S. In particular, X is in solved form. It is easy to see that a system 
S is in solved form if and only if (i) S does not contain two different equations 
X — s and x — t, and (ii) for any equation x — t in S, we have t E x. 

Transformation algorithm. The transformation algorithm don’t-care non- 
deterministically chooses Rules 1-5 and applies them to an input system until 
no rule is applicable. Thus, the transformation algorithm is a nondeterministic 
algorithm that transforms any input system into a system in solved form. 

Variable dependency graph. We introduce one more graph associated with 
a system S. The variable dependeney graph of S is the graph whose nodes are 
variables occurring in S and whose edges are defined as follows. There is an edge 
coming from ar to |/ if 5 contains at least one of the following equations: 



X — fiyi, ... , yn): where f e E and y is one of t/i, . . . , 
X = {|?/i, . . . , I z|} such that y is one of t/i, . . . , y„, z; 
X — {yi-,. . . ..yn\z} such that y is one of t/i , . . . , t/„. 




190 



Evgeny Dantsin and Andrei Voronkov 



Occur-check algorithm. The occur-check algorithm is applied to a system S in 
solved form. If the variable dependency graph of S has a cycle, S is transformed 
into ±. Otherwise, the algorithm does not change S. 

Unification algorithm. The unification algorithm is the composition of the 
transformation algorithm and the occur-check algorithm. 

Theorem 2 (running time). The unification algorithm runs in nondetermin- 
istic polynomial time. 

Theorem 3 (soundness and completeness). Let Si,... ,S„ he all nonde- 
terministie results of the application of the unification algorithm to a system S. 
Then 

1. Any solution to Si is also a solution to S. 

2. For any solution v to S, there is a solution i^i to some Si such that n and Pi 
coincide on all variables of S. 

It follows from these theorems and NP-hardness [28] that the unifiability 
problem for TLU^ is NP-complete (as we note in Section 4 below, this fact also 
follows from results on AC and ACI unification). 

Usually, unification problems are formulated in terms of finding unifiers, i.e. 
substitutions that make two terms equal. A set U of unifiers of a system S is 
said to be complete if for every unifier of S, the set U contains a more general 
unifier of S. It is straightforward to extract unifiers from our algorithm. Namely, 
every nondeterministic branch leads to either ± or a system in solved form. Such 
a system represents a unifier called a resulting unifier for S, for details see [19]. 
The completeness of our algorithm provides that all resulting unifiers for S form 
a complete set of unifiers of S. Since every branch gives us at most one unifier, we 
obtain an upper bound on the minimal cardinality of a complete set of unifiers. 

Theorem 4 (upper bound). For any system S, the set of all resulting unifiers 
for S is a complete set of unifiers. An upper bound on its cardinality is 
where n is the size of S. 

It follows from [9] and [19] that ig also a lower bound. To establish 

this lower bound, it is enough to consider unification for fiat sets. Thus, 
is a tight bound. 

Minimality. We say that a complete set U of unifiers is minimal if for every 
pair of unifiers in S, none of them is more general than the other. A unification 
algorithm is said to be optimal for a system S if the algorithm yields a minimal 
complete set of unifiers of S. Our algorithm (as well as all other known algo- 
rithms) is not optimal in general, but it is optimal for a number of important 
special cases. First, consider the following equations on sets: 



{Sl,... 


,Srn\x} = {ti,.. 


• fin\x} 


( 1 ) 


{si,... 


,8m.\x) = {ti,.. 


■ An\y} 


( 2 ) 


{si,... 


,8m\x} = {tl,.. 


■ 1 tn,} 


( 3 ) 


{si, 


■ ■ 1 ®m } — {ll ) • • 


■ 1 tn,} 


( 4 ) 
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where x,xj are different variables not occurring in si,... ti,... ,t„, and 

Si, . . . ,tn are either variables or ground terms without occurrences 

of bag or set constructors, not necessarily different. Systems (l)-(4)are not, in 
general, systems of simple or isolated equations without duplication, and there 
are several ways of transforming them into such systems. 

Assuming that equations (l)-(4) are preprocessed using the algorithm pre- 
sented in Lemma 1, we obtain 

Theorem 5. The unification algorithm is optimal for any system consisting of 
one equation of the form (1) (4). 

The proof is not difficult and is based on properties of minimal set correspon- 
dences. Note that (l)-(4) contain all equations considered in [9], for which opti- 
mality of a different algorithm is proved. 

Similarly, using properties of minimal bag correspondences we can prove 
optimality for special cases of bag equation. Consider the following equations on 
bags: 



flsi,... 


II 


• , 1 X|} 


(5) 


flsi,... 


II 




(6) 


flsi,... 


II 


■ ! ^«l} 


(7) 


{|«U 


• • ) — {|tl) • 


■ ! ^«l} 


(8) 



with the same conditions as for (l)-(4). 

Assuming that equations (5)-(8) are preprocessed using the algorithm pre- 
sented in Lemma 1, we obtain 

Theorem 6. The unification algorithm is optimal for any system consisting of 
one equation of the form (5) -(8). 

Note that having systems without duplication is esential for the optimality. For 
example, our algorihtm is optimal when the equation {|x, c[} = ^y, c[} is trans- 
lated into -Qa^, z]} = ^y,z^,z = c but is not optimal when this equation is 
translated into {|x, z|} = ^y, u[}, z — c,u — c. 

4 Related results 

AC and ACI unification. AC and ACI unification is more general than bag 
and set unification. First results relevant to bag and set unification appeared 
in the automated deduction community as results on AC- and ACI-unification 
algorithms [44,28,25,10,33,18]. These algorithms deal with the first three of 
the following equality axioms: 

(.4) {xU^j)yj z — xU{yyj z) 

{C) xUy — yUx 
(I) xUx = X 

(1) xU {} = X 
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All the four axioms give an axiomatization of finite sets in the signature con- 
sisting of the set union U and the empty set {}. By removing (J), we obtain 
an axiomatization of bags in the signature consisting of the bag union and the 
empty bag. Both axiomatizations are complete in the sense that every valid 
equation on sets or bags is a logical consequence of these axiomatizations. It is 
known that both ACl-unifiability with constants is NP-complete: NP-hardness 
for a very simple special case is proved in [28] and inclusion in NP is proved in 
[10]. ACIl-unifiability with constant can be solved in polynomial time [29]. It 
follows from the results on combination of unification algorithms [11,42, 17] that 
for the theory combining ACl and ACIl, the unifiability problem is in NP [12, 
Theorem 5.2]. 

The influence of results on ACl and ACIl-uniflcation on unification problems 
with bag and set constructors was largely ignored (for which we are also to blame, 
see the preliminary version of this paper [19]). For example, one can read in [9]: 

“by dealing with nested sets we can solve set-unification problems that 

cannot be expressed using ACl unification; for instance {x, {y, {0, z}}} = 

{{4M” 

However, it is not hard to see that the set constructor can be defined from 
the union U by using the additional singleton set constructor {...}. Indeed, 
we have {xly} — {x} Uy. Thus, the unification problem for TiU^ (as well as 
for the domains of [22,45,21]) can be implemented as unification in the theory 
combining ACl and ACIl. This fact has been noted for example in [7] and in 
[43]. In particular, by [12, Theorem 5.2], the unifiability in the domain combining 
bags, sets and trees is in NP. 

There are various motivations for using the signature with the bag and set 
constructors instead of the union. Our motivation is explained by Theorem 1: 
bag and set constructors are enough to express any computable function on 
the universe with bags and sets. In addition, known ACl- and ACIl-uniflcation 
algorithms adapted for 'HU'^ are too complex compared to our algorithm (for 
example, they use solutions to systems of Diophantine equations and one should 
also count the complexity added by the techniques of combining unification 
algorithms). In the signature with the union, there is a double-exponential lower 
bound on cardinalities of minimal complete sets of unifiers for bag equations 
[30]. Using bag and set constructors instead of the union, our algorithm gives 
a single-exponential upper bound even for the combined domain. This bound is 
new and does not follows from other results in the literature. 

Other domains for bags and finite sets. Our unification algorithm can be 
modified in a straightforward way to deal with other data models for bags and 
sets. In particular, [19] defines a typed universe (in the spirit of [1] or [34]) and 
a universe of eolored hags and eolored sets (similar to [22]). The corresponding 
modifications of the algorithm are sketched too. 

Complexity of nonrecursive logic programs with bags and sets. As 

it is shown in [20], if solvability of equations over a domain is in NP, then 
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the query evaluation problem for nonrecursive Horn clause logic programs over 
this domain is in NEXP (see [20] for precise definitions). Therefore, the query- 
evaluation problem for such programs over bags and/or sets and/or trees is in 
NEXP (as it follows from another result of [20], this problem is also NEXP-hard). 
This bound does not hold for nonrecursive logic programs with negation: in this 
case the query evaluation problem may be nonelementary or even undecidable 
already for domains with sets [47] . 

Comparison with other algorithms. Our approach is close to the approach 
of [22] where a set unification algorithm has been proposed. However, incorpo- 
rating bags in a logic programming language is stated as an open problem in 
[22, page 34]. Also, there is much in common with other known unification al- 
gorithms for bags and sets built with the bag and set constructors [21-23,45,9]. 
It is natural to compare them in important special cases of fiat bags and sets, 
for example when solving equations of the form 

{xi,... ,x„,\x)^ {yi,--- ,ym\y), 

where x\,. . . , x„, x,yi,. . . , y™, y are variables. As it was mentioned, in this case 
the minimal cardinality of complete sets of unifiers may be exponential. 

Set unification in [22] is not optimal in this case. In [45] the special case of fiat 
sets is treated in detail. The algorithm of [45] tries to take care of information 
about unifiability of elements of sets. This idea is interesting and natural, but 
unfortunately the algorithm of [45] does not work for embedded sets, despite 
the claim to do so. For the fiat case, the algorithm of [45] may be better than 
all known algoritms in the number of computed unifiers, but it is not clear 
how to modify it for embedded sets (for example, because it checks unifiability 
of subterms and uses most specific generalizations that do not exist for sets). 
The set unification algorithm of [9] also uses optimizations for the fiat case. It 
is proved that the algorithm computes minimal complete sets of unifiers for a 
number of special cases of fiat sets. All these special cases are covered by cases 
(l)-(4). We achieve minimality by using minimal bag and set correspondences 
which is a new idea and allows us to get an optimal algorithm both for cases 
(l)-(4) of sets and (5)-(8) of bags. Note that the algorithms of [45,9] apply 
substitutions explicitly- and thus use exponential space, though we guess they- 
can be modified into nondeterministic polynomial-time ones. 

It seems that optimal algorithms for fiat bags have not been considered in 
other papers. For example, the algorithm of [23] is not optimal for the bag 
equation {|x, ar | ?/[} = {|x | z[}, while our algorithm is optimal for such equations 
(case (6) of Theorem 6). Although [23] asserts that 

“The axiomatizations presented can easily be combined in order to ob- 
tain axiomatic theories capable to deal with any subset of the collection 
of proposed structures. Moreover, the unification algorithms presented 
in the next section can easily be merged to solve the unification problem 
relative to such combined context” , 

no details are given. 
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Directions of further research. It is interesting to consider constraint logic 
programming over bags and finite sets which uses more powerful primitives than 
just the bag and set constructors. For examples, what is the complexity of con- 
straint satisfaction when we also have primitives like U or C? Set constraints 
have recently received a considerable attention in connection with program ver- 
ification, but mostly for infinite sets and constraints that are less relevant to 
databases or logic programs, see e.g. [5, 14,39, 13] and the survey [40]). 

Also, it is interesting to consider a suitable representation of graphs (up to 
isomorphism) and the complexity of unification over graphs. This may be useful 
for dealing with semistructured data [4]. 
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Abstract. Indexed categories provide models of cartesian calculi of ex- 
plicit substitutions. However, these structures are inherently non-linear 
and hence cannot be used to model linear calculi of explicit substitution. 
This paper replaces indexed categories with pre-sheaves, thus provid- 
ing a categorical semantics covering both the linear and cartesian cases. 
We further justify our models by proving soundness and completeness 
results. 



1 Introduction 

Functional programming languages are based on the A-calculus and model com- 
putation by /^-reduction (Xx.t)u ^t[u/x]. This process can duplicate the redexes 
in u and hence is highly inefficient from the implementational perspective. Ab- 
stract machines avoid this problem by reducing terms in an environment — the 
contraction of a /?-redex creates a new substitution which is added to the existing 
environment and only evaluated when needed. In order to study such machines, 
calculi of explicit substitutions incorporate substitutions directly into the syntax 
of the A-calculus rather than treating them as meta-theoretic operations. 

Category theory aids the design of abstract machines [7, 16] by providing 
a semantics for explicit substitutions based upon the Curry-Howard triangle 
relating typed A-calculi, intuitionistic logic and their categorical models. The 
best known example relates the simply typed A-calculus, the positive fragment of 
intuitionistic propositional logic (IPL) and cartesian closed categories (CCC’s). 

A 



CCC IPL 

Indexed categories seem to provide the correct semantic framework for carte- 
sian calculi of explicit substitutions by interpreting substitutions in the base, 
terms in the fibres and the application of a substitution to a term via re-indexing. 
Indexed categories also arise in the semantics of dependent types [8] and also in 
models of the simply-typed A-calculus where not all objects are exponentiable 
[12]. Unfortunately indexed categories cannot be used as models of linear calculi 
of explicit substitution as identities cannot be defined in the fibres. Dropping 
the identities from our models leads to what we call ^-categories and hence our 
triangle now looks like: 

W. Thomas (Ed.): FOSSACS’99, LNCS 1578, pp. 197-211, 1999. 
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A(T-calculus 



£-cat ^ IPL 

where the Afr-calculus [l](a simply- typed A-calculus with explicit substitution) 
is derived as the internal language of ^-categories — this ensures that we have a 
Curry-Howard triangle. As we shall see, ^-categories are essential in generalising 
the monoidal adjunction semantics of linear logic to cover explicit substitutions. 

Now we turn to linear logic. The Curry-Howard correspondence between the 
linear A-calculus, the standard categorical models and intuitionistic linear logic is 
described, for example, in [4]. These categorical models are essentially symmetric 
monoidal closed categories (SMCCs) with extra structure to model the modality 
!. However, categorical combinators based on SMCCs ([13] [14]) are not adequate 
for modelling resource allocations, the idea behind linear functional languages. 

Linear categorical abstract machines are designed to implement linear logic 
and we require linear analogues of the modifications described above. In particu- 
lar, we want a linear A-calculus extended with explicit substitutions, a categorical 
model for the calculus and a Curry-Howard relationship between them. The cal- 
culus appears in full in [10] and this paper concentrates on the more refined 
categorical models for the linear A-calculus extended with explicit substitutions. 

Indexed categories cannot be used as models of linear calculi of explicit sub- 
stitution as they are an inherently non-linear structure. Asking that the fibres 
form a category requires identities which in turn corresponds to weakening which 
is not admissible in linear A-calculi. Hence we alter the notion of an indexed cat- 
egory to a presheaf (i.e., a functor with Set as codomain rather than Cat), and 
call this structure a linear eontext-handling eategory. Cartesian eontext-handling 
eategories analogously model cartesian calculi of explicit substitutions. 

The tensor, unit and linear implication are then modelled by adding natural 
isomorphisms to the “fibres” of linear context handling categories — we call 
these structures L-categories. Modelling contexts by structure in the base and 
the logical connectives by structure in the fibres distinguishes our models from 
the usual SMCC’s where the same semantic structure is used to model both 
the behaviour of contexts and the tensor connective. Similarly, intuitionistic 
implications and conjunctions are modelled by adding structure to the fibres of 
a cartesian context handling category obtaining the previously mentioned ill- 
categories. The modalities of linear logic are modelled by a monoidal adjunction 
between (the bases of) an L-category and an ill-category. 

2 Context Handling Categories 

The traditional categorical semantics of explicit substitutions is based on in- 
dexed eategories, ie a base category B and a contravariant functor iH: i?°P^Cat. 
The objects of B model the contexts, the morphisms of B interpret the explicit 
substitutions and the fibres interpret the types and terms of the calculus. Un- 
fortunately, indexed categories do not generalise to the linear setting as the 
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identity on A in a fibre E(r) corresponds to the non-linear typing judgement 
r,x:A h x: A [16,8]. This paper replaces indexed categories with pre-sheaves, 
thus providing a categorical semantics covering both the linear and cartesian 
cases. That is, we change the codomain of E from Cat to Set, thus removing 
the identities from the fibres. As motivate for our definition, consider the most 
primitive form of a linear or cartesian calculus of explicit substitutions. Such a 
calculus has the following components: 

- Types: A set of types T. 

— Contexts: Contexts are obtained by “glueing” , in a linear or cartesian man- 
ner, variable-type pairs (x: A) together. 

- Substitutions: Given contexts E and A, there is a collection of explicit 
substitutions which are judgements of the form E h f : A 

— Terms: Given a context E and type B £ T, there is a collection of terms 
which are judgements E h t : B. Applying a substitution T h / : zi to a 
term Ah t : A results in another term E h f *t: A. 

These properties can be captured by a presheaf L: — >• Set^ with addi- 

tional structure to capture the formation and behaviour of explicit substitutions: 

Definition 1 Let B be a (symmetric) monoidal category with distinguished col- 
lection of objects T E \B\. A linear context handling category is a functor 
L: B°P^Set^ such that for each A £T there exists a natural isomorphism 



SnhA'. L(-)a — Homg(-, A): Term^ 

Each component of Definition 1 corresponds to part of the description of a 
term assignment system given previously: 

- The Base B: The base B of a context handling category models contexts 
as objects and substitutions as morphisms — types are treated semantically 
as singleton contexts That B forms a category means that substitutions 
can be sequentially composed and there is an identity substitution. Contexts 
and substitutions can be put into parallel and there is a an empty context 
— these features are described by the monoidal structure on B. 

- The Functor L: The functor L associates to each context E and type A 
a set, written L{E)a, which we think of as the terms of type A in context 
E. Given a substitution / : E -^A, and any type A, the contravariance of L 
gives a function L(f )A- L{A)a^L{E)a- This re-indexing is exactly what is 
used to model the application of a substitution to a term. 

^ The Natural Transformations Sub^ and Term^: Sub^ describes the 
formation of new substitutions by converting elements in the fibres to mor- 
phisms in the base, ie taking a term t and constructing the substitution 
{t/x) By the Yoneda-Lemma, TerniA can be replaced by elements Var^ £ 

^ although we simplify notation by sometimes writing A for x : A 
^ where x is the variable associated to the singleton context A 
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L{A)a and Termi(/) is then given by / * Var^ — thus Term^ evaluates a 
substitution at a variable. The condition that Sub and Term are natural 
isomorphisms is then replaced by the equations 

Sub^(t) *Var^ = t Sub^(Var^) = Id 

In order to model a calculus of cartesian contexts we use cartesian context 
handling categories whose definition only differs in requiring the monoidal struc- 
ture in the base is actually a product so that weakening and contraction can be 
interpreted. This notion of a cartesian handling of contexts is implicit in most 
of the work on categorical modelling of higher-order typed calculi [8] [11]. 

Definition 2 Let B be a cartesian category with distinguished collection of ob- 
jects T Q\B\. A cartesian context handling category is a functor E: 
such that for each A £T there exists a natural isomorphism 

Sub^:_B(-)^ = Homg(— , A): Term^ 

Notation: We use T, zl, • • • as generic objects in B, f,g,... as generic mor- 
phisms in B and A, B,C,. . . , as generic elements of T- We write /*— for E(f) 
(or L(f)) for the functor on morphisms. When B is monoidal the unit is denoted 
[ ] , the tensor product of objects Ti , . . . , is denoted (Ei, . . . , E„) and similarly 
the tensor product of two morphisms / and g is written (f,g). In addition, if B 
is cartesian, we write Fst and Snd for the two projections. 

Should Sub and Term be isomorphisms? The equation Sub^(t) * Var^ = 
t formalises our understanding that x[t/x] — t. However, the other equation, 
namely that if / is a substitution for the variable x, then f = [f * x)fx, does 
not carry the same force, and intensional definitions requiring only a retraction 
Term^ o Sub^ = Id could be considered. The situation would be analogous to 
the intensionality of function spaces: In the same way as two functions are not 
intensionally equal if they produce the same result when applied to the same 
arguments, two substitutions are not intensionally equal if applied to the same 
variable they produce the same result. The formal definition is 

Definition 3 An intensional (cartesian) context category consists of the same 
data as a (cartesian) context handling category but the natural transformations 
Sub^ and Term^ need only form a retraction Term^ o Sub^ = Id. 

The next lemma proves that an intensional context handling category where 
Sub^(Var^) = Id is actually extensional. Since we think of Sub^(Var^) as the 
substitution [x/x], this is rather a mild condition and dropping it, as intensional 
structures require, seems counter-intuitive. 

Proposition 4 Let L be an intensional context handling category with types T. 
If for all A £ T, Sub^(Var^) = Id^, then L is a linear context handling category. 

Proof If A £ T, then we show Sub^ o Term^ = Id. So let / : T -^A. Then 

f — f;\d — f; SubA(Var^) = Sub(/ * Var^) = Sub o Term(/) 
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where the first equality holds by definition, the second by assumption, the third 
is the naturality of Sub^ and the fourth by definition. 

The natural isomorphism between Hom(-,.4) and E(—)a (or L{—)a in the 
linear setting) has several consequences. Firstly, the fibres of a context handling 
category are determined up to isomorphism by the base of the category. Secondly, 
all substitutions are extensional, ie morphisms are determined by their effects 
on terms: / = iff for all terms t, f *t — g*t. Finally, models of A-calculi based 
on context handling categories can be compared with the standard categorical 
models by constructing an “internal category” from the fibres. The objects of 
this category are the elements of T and the set of morphisms from A to B is 
the fibre E{A)b. The identity on A is the term Var^ and the composition of 
two morphisms t C E{A)b and 8 C E{B)c is given by Sub(f) * s. Clearly this 
internal category is isomorphic to the full subcategory of B whose objects are T. 

3 The Cartesian Model 

Context handling categories model the basic features of explicit substitutions, 
namely the ability to form substitutions from terms, put them in parallel and 
apply them to terms. This structure is insufficient to model a calculus of explicit 
substitutions as no mention is made of the connectives. We now consider a 
canonical extension of the simply typed A-calculus with explicit substitutions 
and the extra structure required to model it. Our presentation varies slightly 
from the original [1], eg we use names rather than De Bruijn numbers. 

3.1 The Acr-calculus 

The types of the Afr-calculus are ground types, the unit type 1, function types 
A ^B and product types A x B. The raw expressions of A<t are: 

t ::= X I Xx: A.t | tt | {t,t} \ \ ♦ \ f*t 

/::=() I I /;/ 

where ar is a variable. The term f *t represents the application of the explicit 
substitution / to the term t and • represents the canonical element of the unit 
type. The substitution () should be thought of as a substitution of variables for 
themselves, while (/, t/x) represents the parallel composition of the substitution 
/ with the substitution of the term t for the variable x. Finally, /; g represents 
the composition of the substitutions / and g and models iterated substitution. 

Contexts are lists x\: Ai, . . .x„;- .4„ where the x’s are distinct variables and 
the .4’s are types — the domain of the context is {xi,.. . ,x„} and we write 
r C r' if the domain of E is contained in the domain of F' . The Ad-calculus 
has term judgements F h t : A and substitution judgements F h f : A — these 
judgements are generated by the inference rules of Table 1. The inference rules 
for declaring variables and the introduction and elimination rules for function 
spaces and conjunctions are standard. All the free variables of t are bound in f*t 
and similarly all the free variables of g are bound in /; g. For a full presentation 
of the meta-theory of Ad see [1, 15]. 
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Table 1 , 'iyping Judgements for the Acr-calculus 


— Term Judgements 




x: A declared in E 


rh/: A Aht: A 


r^x:A 


r h : A 


r, x: A \- t: B 


r h t: A H-B r h w: a 


r h Ax: A.t: A -aB 


E h tu: B 


r\-t:A r\-u:B 


E \- t : Al X A2 


r \- (t,u) : A X B 


F h 7T, (t) : Aj F h • : 1 


— Substitution Judgements 




E'er E\-f:A 


Fht:A E\-f:A A\~ g:<E 


rh():r' Eh{f,t/x): 


A,x:A Ehf;g:<E 


where in the second rule x is not in the domain of A. 



3.2 Modelling the Acr-calculus in an £l-category 

Cartesian context handling categories model the behaviour of explicit substitu- 
tions, eg their formation from terms and their application to other terms. We 
now add extra structure to cartesian context handling categories to model the 
types of the Afr-calculus. Since these types define new terms, and terms are 
interpreted in the fibres, this extra structure is defined on the fibres: 

Definition 5 An S-category is a cartesian handling category E: 
with a distinguished type 1 G T and such that for two types A, B £ T, there 
are types A ^ B,A x B £T- In addition 1 is terminal in B, and there are iso- 
morphisms, natural in E between E{(r,A))B and E{E)a^b as well as between 
E{E)a X E(E)b and E{E)axb- 

Definition 5 implies that .4 x 2? is isomorphic to the product of A and B in B, 
namely (.4, B) — this is consistent with our philosophy that the semantics of 
context concatenation and the connective x are, although related, conceptually 
distinct. Similarly the type 1 is isomorphic to the empty context []. ^-categories 
also provide a theory of equality judgements for the Afr-calculus which are of 
the form E h t = t' and E h f = f — these are given in Table 2 and used in 
proving soundness and completeness. 

Similar structures to our ^-categories have been considered in the literature. 
Jacobs [12] defines a Al-category as an indexed category such that B 

has finite products; morphisms in the fibre from A to B are morphisms F x A to 
B in the base category together with the condition that the fibration defined by 
the indexed category has T-products. Such a Al-category is an extensional ill- 
category where the fibres are categories and not sets and where the isomorphism 
between substitutions and terms is the identity. 
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Table 2. Equality Judgements for the Acr-calculus 



(1) ();/ = / 

(3) f]{g]h) 

(5) {f.,t/x)*x^t 

rh/:_ 



(7) 

(9) 



r h / = 0 

rht: 1 



ri-f = • 
(11) t — Xx: A.tx 



(2) = t 

(4) 

(6) {f,t/x)*y^ f*y 

(8) f-,{g,t/x} ^ {f-,g,(f *t)/x) 

. . rh():r r ^xy.Xi,...,xn-.x,, 

^ r \- Q — {xi/xi, . . . ,Xn/Xn) 

(12) (Xx: A.t)u — {{),u/x) *t 



(13) f *(tu) = (f *t)(f *u) (14) f*Xx:A.t^Xy:A.{f,y/x)*t 
Iwliere in equation 2, x ^FY(t) 



£J-categories and CCC’s Since the Afr-calculus contains the A-calculus, every 
model of the Ad-calculus should contain a model of the A-calculus, ie every ill- 
category should contain an underlying CCC. In addition, one of the key-meta- 
theoretic properties of the Ad-calculus is that every Ad-term is provably equal 
to a A-term. The semantic counterpart to this is that every CCC should extend 
to an ill-category. The following theorem makes this relationship clear. 

Theorem 6 (i) Let E: ^Set^ be an extensional E -category. Then the full 

subeategory of B generated by T is a CCC. 

(a) LetC be a CCC andT be the set of objects ofC. Define a functor E:C°p ^Set^ 
by E{_)a = Homc(_, zi), then E is an extensional E-category. 

(Hi) If E: B°^^Set^ is an extensional E-category, then the E-category con- 
structed in («) from the CCC constructed in (i) is isomorphic to the re- 
striction of E to the full subcategory of B generated by T. 



Soundness and Completeness We now prove that we can model the Ad- 
calculus in any E-category. 

Theorem 7 Let E:B°P^Set^ be any E-eategory. Then there is a canonical 
interpretation map |[_]| which assigns to any term of the Xa-caleulus with set T 
of base types an element of a fibre and assigns to every substitution a morphism. 

Proof The types of the A-calculus are interpreted as elements of T and, using the 
product structure of B, this extends to an interpretation of contexts as objects 
of B. We now define |[t| by induction over the structure of t: 

- Variable are interpreted by tt * Var^ where tt is a projection in the base 

- A-abstraction, application, product and projections are interpreted via the 
natural transformations occurring in definition 5. Finally the application of 
a substitution to a term is modelled by re-indexing. 

- The substitution () is interpreted as a projection in B and lf;gj is the 
composition of |/| and [^rj. Finally, l{f,t/x}} = ([/], Sub(p])), where the 
right-hand side uses pairing in B. 
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That [.]| respects the equality judgements of the Afr-calculus relies on proving 
by induction on t that [t[s/a:]| = (Sub(|[si]), . . . ,Sub(|s„])) * pj. 

if-categories form a complete class of models for the Afr-calculus. 

Theorem 8 Let T h / : T' and F h f : F' be Xa -substitution judgements 
and PI be the interpretation funetion of Theorem 7. If for every E-eategory, 
1/1 = [/'], then F \- f = f : F' is provable. 

Proof The proof is by the standard term-model construction. We sketch this in 
three stages: (i) first we construct the base; (ii) next we construct the pre-sheaf 
structure; and (hi) we finally describe the natural transformations Term and Sub. 

- The Base Category B: In the term model, the base has as objects contexts 
and equivalence classes of substitutions as morphisms. The identity will be 
() while composition is given by ;. Equations (1), (3) and (10) ensure that 
this structure does indeed define a category. 

- Cartesian Structure on B: By equation (7), the empty context is terminal 
in B. On objects, the product structure is context concatenation while pairing 
is defined via the ()-combinator. Universality follows from equation (10). 

- The Pre-sheaf: The functor E maps a context F and singleton context 
(x : A) to the set of equivalence classes of terms of type A in context F. On 
morphisms E(f) maps a term t to the term f *t and if is a functor, ie E 
preserves identities and composition, by equations (2) and (4) 

^ The Natural Trausformatious Term aud Sub: The natural transforma- 
tion Term maps f : F ^{x : A) to f * x, while Sub maps an element of 
E(r)x:A, ie a term t, to the substitution {t/x}. Naturality of Term follows 
from equation (4), while naturality of Sub is implicit in equation (8). Equa- 
tions (5) and (10) imply Term and Sub are isomorphisms. 

4 The Multiplicative Structure 

What extra structure must be added to a linear context handling category to 
model the (J, -o) connectives from linear logic? Following the definition of E- 

categories, we may try adding natural isomorphisms to the fibres of linear context 
handling categories. While this works for the linear function space, there is a 
complication for the tensor and unit. Recall from section 3 that the structure 
used to interpret product types is defined on the fibres and then induces an 
isomorphism in the base between the contexts z : Ax B and x : A, y : B. 
However, imposing structure on the fibres of linear context handling category 
does not induce such an isomorphism and hence we require one explicitly. 

Formally, a L-category requires an object J G T to model the unit and 
binary operations 0 and ^ to model the tensor and linear implication. As 
argued before, I will be isomorphic to the unit Q of the monoidal structure of B. 
Similarly, 0 will not be equal to the tensor of B but will be isomorphic to it. 

Definition 9 An L-category is a linear eontext-handling eategory (B,T) st: 
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( i) There is a type l£T, and given A, B £T, there are types A(i)B and A^B. 
(a) For every type A and B, there are isomorphisms rij: [ ] — I:nJ^ and 
n^^:(A, B) S A(S>B:n^. 

(Hi) Given types A, B andC, there is a F -natural isomorphism between L{{r, A)) b 
and L(F)j^^b- 

Theorem 6 generalises to the linear setting, ie every L-category has an underlying 
SMCC and every SMCC generates an L-category. This reflects the fact that a 
linear calculus of explicit substitutions contains an underlying linear A-calculus 
and every term is equal to a term of the underlying linear A-calculus. 

Theorem 10 (i) Let be an L-eategory. Then the full subeate- 

gory of B generated by T is a symmetrie monoidal elosed category. 

(a) LetC be any symmetrie monoidal elosed category with objects T. The func- 
tor L:C°P^Set^ defined by L{S)^ — Homc(_, zi), is an L-category. 

(in) If L: B°P^Set^ is an L-category, then the L-category constructed in («) 
from the underlying SMC defined in (i) is naturally isomorphic to the re- 
striction of L to the full subcategory of B generated by T. 

Proof. The same proof as for Theorem 6 works. 

L-categories provide models for a linear A-calculus with the (®, J, ^)-type 
structure extended with explicit substitutions — we call this calculus the monoidal 
A(T-calculus. Formally, the raw expressions are 

t ::= X I Xx: A.t \ tu \ tOt \ • \ f *t \ let the pint 
/::=() I I f;f I let the pin/ 

where x is a variable and p is of the form ♦, x®?/. The calculus contains the usual 
terms of the linear A-calculus, substitution constructs we have already seen and 
Anally there are two new forms of substitution given by let-expressions. That is, 
not only do we have terms of the form let t be p in u (where u is a term) but also 
substitutions of the form let t be p in / (where / is a substitution). These let- 
expressions ensure the context z : .4® 2? is isomorphic to the context x : A, y : B 
as required by the definition of an L-category. Formally, the typing judgements 
are of the form F h t : A and F h f : F' and are given in Table 3, while the 
equality judgements for the calculus are given in Table 4. The ?7-equations are 
derived from Ghani’s adjoint rewriting [9]. 

Theorem 11 Let L: B°P^Set^ be a L-category. Then there is an interpreta- 
tion map [.]| sending terms of the monoidal Xa-caleulus with ground types T to 
elements of the fibres and substitutions to morphisms. 

Proof The proof is similar to that of Theorem 7. Variables are interpreted by 
the elements Var.4, while () is interpreted via the identity in the base, parallel 
composition via the tensor on B and sequential composition via composition in 
the base. The isomorphism .4® 2? ®-(.4,2?) is used to interpret both the term 
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Table 3. Typing Judgements of tiie Monoidal Acr-calculus 
The term judgements of are 

r,x:A\-t:B ri\~t:A-oB B-z \~ u: A 
x:A\-X'.A r \- Xx: A.t'. A-oB F \~ tw. B 

A I- /: -P> Fz^t-.A Ti h f : J Fz^u:A 

Fi\- f A _!-•:/ r \- let t be • in u: A 

Fi \- t: A Fz u: B Fi \- u: A0B Fz, x: A^y: B \- t:C 
F h t(E>u: A(E>B F h let u be x(E>y in t: C 

The substitution judgements are 

Ah/: Fa Ah*/: A Ah/: A A h t: A 
rh():r Ah/;*/: A F ^ {f,t/x}: T' , x: A 

A h t: J Ah /: A Ahw:A®B Fz.,x: A.,y. B ^ f: F' 

F h let t be • in /: A F h let u be xfAy in /: F' 

The rules for substitutions assume x,y are fresh and, where applicable, Fi, Fz are 
disjoint and F is any permutation of Fi, Fz. 



let u he X ^ y in t and the substitution let u he x <S> y in f. Similarly 
the corresponding isomorphism for the unit is used to interpret the other let- 
expression. The verification that the map |t| respects equality judgements relies 
on a substitution lemma similar to that of Theorem 7. 

Theorem 12 L-categories form a complete class of models for the monoidal 
Xa-caleulus. 

Proof A term model is constructed with contexts as objects and equivalence 
classes of substitutions as morphisms. The pre-sheaf structure is added as in 
Theorem 8 and, finally, we get an L-category from the inverse morphisms 

X : X,y : Y h {(x ® y)/z) : z : A0 B 
z : Aii) B h let zhe x f^y in {x/x, y/y) : {x: X, y: Y) 

Similarly, I is isomorphic to the empty context. 

5 The Modalities 

The standard categorical model of the modalities of linear logic is via a co- 
Kleisli construction [17] [6]. Benton [5] proposes the equivalent LNL-categories 
consisting of a monoidal adjunction between a cartesian closed category (CCC) 
and a symmetric monoidal closed category (SMCC). The adaptation of this 
approach to our framework is more succinct and hence used here. 

Definition 13 An !L-category is an L-eategory L: together with an 

E-category E : and monoidal adjunction F H G : C^B such that if 

A £ S, then FA £ T, and conversely, if B £T, then GB £ S. 
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Table 4. Equality Judgements of the Monoidal Acr-calculus 
Let @ be either ; or * depending whether h is a term or a substitution. 

— / 3 - and r/-equality: 

{Xx: A.t)u — {u/x) *t Xx : A.tx — X 

let U0W be xMy in h — (v/x, u/y) * h let • he • inh — h 

r2,z: I\- f : r' a h « : A(g)B Tz, t E / : T' 

r h /[u/t] = let u be • in (•/z);f F \~ f[u/z] = let u he xf3y in {{xf3y)/z)', f 

— Application of Substitutions: 

();/ = / Q*t^t {f;y)-,h^ f-,(y;h) 

{f.,t/x)*x^t (f.,t/y) *X ^ f *x if;y)*t^ f *{y*t) 

rh/:- rh():r r^xv.Xi 
rh/ = () rh() = (:xilxi) 

— li f — (ti/xi, . . . ,tn/x„) then ft is / restricted to the free variables of t. 

f; {y, t/x) = (/<,; y., (ft * t)/x} 

/ * (W ® U) = (/a * W) ® (/t, * W) 

f * Xy: A.u — At: A.(/, z/y) *u f * uv = (fu * u){fv * v) 

/©let the p inh — let (ft *t) he p in fh@h 



As in Theorem 6 LNL-categories embed into !L-categories and vice versa. 

Theorem 14 (i) If (L: B°P^Set'^ , E:C°P^Sef^) is a IL-category, the full 

subcategory of B defined by T and ofC defined by S is a LNL-category. 

(a) Let FAG: C^B be a monoidal adjunction between a cartesian closed 
category C with objects S and a symmetric monoidal closed category B with 
objects T- If we define functors E:C°P^Set^ by E(_)/^ = Homc(_, A) and 
L: B°P^Set^ by L(_)a = Homg(_, zi) then (L,E) is an \L-category. 

(Hi) If{L: B°P^Set' , E: C°P^Set^) be a IL-category, then the IL-category con- 
structed in («) from the monoidal adjunction constructed in (i) is isomor- 
phic ^ to the original L-category. 

5.1 xDILL - A Linear Calculus of Explicit Substitutions 

We now extend the monoidal Afr-calculus with !-types and prove that !L-categories 
form a sound and complete class of models for this calculus. Underlying our ex- 
tended calculus is Barber’s DILL [3] — hence we call our calculus xDILL [10]. 
We use DILL because it incorporates the semantic separation of linear and non- 
linear contexts directly within the syntax although we could have started from 
Bierman’s linear A-calculus. Formally, the types of xDILL are base types, unit, 
function, tensor and !-types and the raw expressions are 

t ::= X I Xx: A.t \ tu \ tGt \ ♦ |!t|/*t| let the pint 
/■■={} I I {f,t/xL} I /;/ I let the pin/ 

® in the obvious component-wise sense 
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where x is a variable and p is of the form *,x ® y or \x. Like DILL, xDILL 
contains both linear and intuitionistic variables and hence has zoned contexts 
of the form r\A. Weakening and contraction are only permitted for variables 
declared in F and the !-type constructor controls the interaction between the 
intuitionistic and linear zones of a context, thus allowing terms of !-type to be 
copied and discarded. As in section 4, the let-expressions must be generalised 
to substitutions as well as terms. Formally, the typing judgements of xDILL are 
of the form r|zi h t : A and r|zi h / : F'\A' and are given in Table 5, while the 
equality judgements of xDILL as presented in Table 6. 

Proposition 15 There is a canonical interpretation |_] of xDILL with base 
types in T in a IL-category (L:B°P^Set'^,E:C°P^Set‘^) with monoidal ad- 
junction F -\G : C^B. 

Proof Firstly interpret the types in T — for !-types set |!A]| = FG|AJ. This 
gives an interpretation of xDILL contexts using the monoidal structure of B 



[r| /il = (FG(IAil), ■ ■ • , FC?([A„1), [Fil, ■ ■ • , 

where F = xiiAi,..., ar„: A„ and A = yp. Bi, . . . ,ym'- Now any xDILL 
term judgement F\A\- t : .4 is interpreted as an element of F(|F|zi])|^j and 
any xDILL substitution judgement F|zi h / : F'\A' is interpreted as a F-map 
1/1 : ^iF'lzil. This map O is defined inductively, eg 

|!t] = Sr * rnr * FG(Sub(f)) * Var^ 

[let t be lx in u| = (Id, Sub(|t|), Id) * |u] 

[let t be !ar in /| = (Id, Sub([t|), Id); [/] 

where Sr ■ (!Ad, . . . , !A"„) ^(!!Ai, • • • , !!A„) is derived via the co-multiplication 
of the comonad on B and mr ■ (!!Ai , . . . , !!A„) ^!(!Ai , . . . , !A„) is derived from 
the monoidal transformation IX, \Y ^!(A, T). 

Completeness of !L-categories as models of xDILL is proven by constructing 
a term model. We only define the structure involved and (mostly) omit the 
(lengthy, but routine) verification that the structure has the required properties. 
First the functor L: B°P^Set^ is defined. The objects of B are contexts F|zi 
and morphisms are substitution judgements F|zi h / : F'|zi'. Context union 
makes B monoidal. Next define T to be the set of xDILL types, L(r\A)A to 
be the judgements F h \A t : A, L{f){t) to be / * t, Var^ to be a canonical 
variable and set Sub(f) to be the substitution {t/x}. This makes L a linear context 
handling category. Section 4 shows how to turn L into a F-category. 

Now we turn to the modalities. The category C has as objects contexts F 
and morphisms C{F,A) are tuples of judgements F|_ h t : Ai where A is the 
context xi : Ai,. . . ,x„. '■ A„. Note that in C there are no let-substitutions — 
this corresponds exactly to the syntactic restrictions on term substitutions that 
arise in the meta-theory of xDILL [10]. Composition in C is given by substitution 
with tuples of variables forming the identities. S is the set of types and define 
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‘able 5. xDlLL lypmg Judgements 



The term judgements of xDILL are 



r, x: A, r'L \- X'. A 



r|a;: A\- x:A 



r|.h •: J 

r\At^f,-.A r\A2\-u:B 
r\A\-mu: A0B 

r|.ht:A 

r|.h!t:!A 



FilAi h /:r2|A2 r2|A2ht:A 

ri|Ai \- f*t: A 

r\A,x:A\-t:B r\Ai\~t:A^B r|A 2 l-tt:A 

r\A h Aa;: A.t: A—oB r\A h tw. B 

r|Aihf:J r|A 2 hw:A 

F|A h let t be • in w: A 

d2 h w: B r|Aihtt:A0B r\A2,X'. A,y.B 'r tC 
A(E>B F| a h let u be xfAy in t: C 

r|Aihf:!A r,g;: A|A2 I- tt:B 

F|A h let t be !a; in u: B 



The substitution judgements of xDILL are 



r' cr 

r|Ah 0 : r'\A 
r|Ah/:r'|A' r|_ht:A 
r\A^ {f,t/xi)-.r',x-. A\A' 

r\Ai^t:I r|A 2 h/:r'|A' 
r|AI- lettbe • in f:r'\A' 

r\Ai h u: A 0 B 



FlIAl h/:F2|A2 r2|A2hp:r3|A3 

ri|Aih/;</:r3|A3 
r|Ai h / : r'|A' r|A2i-t:A 
r\A^ {f,t/xL):r'\A',x-.A 

r|Aiht:!A r,a;: A|A2 h /:r'|A' 
r|AI- letfbe !a: in /: B'\A' 
r|A2,a;:A,y:Bh/:r|A' 



F|A h let u be x^y in /: F'|A' 

The rules for substitutions assume x,y are fresh and, where applicable, Ai, A 2 are 
disjoint and A is a permutation of Ai, A 2 . 



E:C°P^Set^ by setting E{r)A to be the set of typing judgements r|_ h t : A. 
This makes E a cartesian context handling category, E can be made into an 
£J-category using Girard’s decomposition of intuitionistic function spaces A 
into linear function spaces \A^B. 

Finally we construct a !I/-category. This is greatly simplified by observing 
that B is naturally isomorphic to the full subcategory Bq whose objects are 
-\x : A — again these isomorphisms use the let-substitutions of xDILL. Thus we 
define a monoidal adjunction F AG -.C -^Bq which then extends to a monoidal 
adjunction on B. The functor F is given by F(r) = _\z : (IXiG ■ ■ ■ GlX„), 
where F = xi : , . . . , ar„ : and t is some canonical choice of variable. To 

define F on morphisms, let F\_ h tj : Yj. Then since there is an isomorphism 

: F(F) -^F, there are judgements F(F) h Itj :lYj. Hence F(ti, . . .tn) = 
!fi® ■ ■ ■ \tm)/x}. We define G on objects by G{-\x : A) = z : A — 

this makes G right-adjoint to F as the required natural isomorphism on sets of 
derivations follows from the isomorphism in B between F and F{F). Moreover 
one can show that we have the required additional data to form a !L-category, 
Hence we have shown the following Theorem: 

Theorem 16 The term model is a IL-eategory. 
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Table 6. Equality Judgements for xDlLL 
[Let @ be either ; or * depending whether h is a term or a substitution. 
— /3- and 7/-equality: 



let \u be \x int — (u/x) * t 



(Xx: A.t)u — (u/x) Xx ■■ A.tx — X 

let wOu be x'S>y in h — (v/x, u/y) *h let • he • inh — h 

r\Ai^u: A(g,B r\A2,z: A(g,B h / : T' j Zl' 
r|/l h f[u/z] = let u be x0y in {{x<idy)/z)] f 
r\Ai^u:I r\A 2 .,z-I^f-r'\A' r\Ai^u:\A r\AiZ :\A^ f ■. r'\A^ 

F|zl h /[w/t] = let w be • in (•/«); / Fjzl h /[w/t] = let u be \x in (!*/«);/ 
Application of Substitutions: 

();/ = / 0*t = t {.f-, 9 )-,h = f\{g\h) 

{f,t/x)*x^t if,t/y) ^ f *x 

r|/ih/:^h r|/ih0:r'|/i' r'^xr.Xi a' ^ yr.Y) 

r\AYf^Q 



r\A h 0 = {Xiixi.yjiyj) 

— If / is of the form {ti/xi, . . . and ft is / restricted to the 

free variables of t. 

f;{g.,t/x) = ifff-,g,{ft*t)/x} /*!« =!(/*«) 

/ * (W ® U) = (/a * W) ® (/t, * W) / * • = • 

/ * Xy: A.u — Xz: A.{f, z/y) *u f * uv = (fu * w)(/t. * v) 
/©let the p inh — let (ft *t)he p in fh@h 



6 Summary and Discussion 

We have modularly defined new categorical models for A-calculi extended with 
explicit substitutions. We took our intuitions from indexed category theory 
but had to make alterations so as to accommodate linear calculi in the same 
framework as cartesian calculi. We have also related these models to the well- 
established categorical models for their underlying A-calculi and proved appro- 
priate soundness and completeness results. 

Recapitulating from the introduction, the reason for describing these models 
is our goal of designing an abstract machine based on the linear lambda-calculus 
that is conceptually clean (and easy to prove correct!). These models have already 
been used to derive a linear lambda-calculus with explicit substitutions [10] and 
an abstract machine, which has been implemented by Alberti [2]. 

However there are two questions which remain unresolved and require further 
research. Firstly we have been unable to find concrete instances of our proposed 
models. Secondly, and perhaps more importantly, our definition of a context han- 
dling category L: distinguishes between isomorphic entities, eg the 

functor L(.4) and the hom-functor Home(— , .4). This goes somewhat against the 
grain of category theory which tends to regard isomorphic structures as being 
indistinguishable. However, were we to take the alternative approach of identify- 
ing the functor L with the hom-functors and dropping the transformations Sub 
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and Term, while maintaining a Curry-Howard correspondence, this would entail 
dropping the crucial combinator which forms substitutions from terms from the 
associated calculus of explicit substitutions. Hence we keep the functor L and 
the natural isomorphisms Sub and Term in Definition 1. 

We would like to thank Peter Dybjer, Martin Hofmann, Andrea Schalk and 
Martin Hyland for discussions on the subject of this paper. 
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Abstract. The ambient calculus is a process calculus for describing mo- 
bile computation. We develop a theory of Morris-style contextual equiv- 
alence for proving properties of mobile ambients. We prove a context 
lemma that allows derivation of contextual equivalences by considering 
contexts of a particular limited form, rather than all arbitrary contexts. 
We give an activity lemma that characterizes the possible interactions 
between a process and a context. We prove several examples of contex- 
tual equivalence. The proofs depend on characterizing reductions in the 
ambient calculus in terms of a labelled transition system. 



1 Motivation 

This paper develops tools for proving equations in the ambient calculus. 

In earlier work [6], we introduced the ambient calculus by adding ambients — 
mobile, hierarchical protection domains — to a framework for concurrency ex- 
tracted from the 7r-calculus [12]. The ambient calculus is an abstract model of 
mobile computation, including both mobile software agents and mobile hardware 
devices. The calculus models access control as well as mobility. For example, a 
process may move into or out of a particular ambient only if it possesses the 
appropriate capability. 

This paper focuses on behavioural equivalence of mobile ambients. In par- 
ticular, we study a form of Morris’ contextual equivalence [14] for ambients and 
develop some proof techniques. Our motivation is to prove a variety of equations. 
Some of these equations express and confirm some of the informal principles we 
had in mind when designing the calculus. As in other recent work [1,2], some 
of the equations establish security properties of systems modelled within the 
calculus. 

The inclusion of primitives for mobility makes the theory of the ambient 
calculus more complex than that of its ancestor, the 7r-calculus. The main con- 
tribution of this paper is to demonstrate that some standard tools — a labelled 
transition system, a context lemma, and an activity lemma — may be recast 
in the setting of the ambient calculus. Moreover, the paper introduces a new 
technique — based on what we call the hardening relation — for factoring the def- 
inition of the labelled transition system into a set of rules that identify the 
individual processes participating in a transition, and a set of rules that express 
how the participant processes interact. 

W. Thomas (Ed.): FOSSACS'99, LNCS 1578, pp. 212-226, 1999. 

U Springer-Verlag Berlin Heidelberg 1998 
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We begin, in Section 2, by reviewing the syntax and reduction semantics of 
the ambient calculus. The semantics consists of a structural congruence relation 
F = Q (which says that P may be structurally rearranged to yield Q) and 
a reduction relation P ^ Q (which says that F may evolve in one step of 
computation to yield Q). 

We introduce contextual equivalence F ~ Q in Section 3. We define a pred- 
icate, FJJ.fl, which means intuitively that an observer may eventually detect 
an ambient named n at the top-level of the process F. Then we define P 'li Q 
to mean that, whenever F and Q are placed within an arbitrary context con- 
structed from the syntax of the calculus, any observation made of F may also 
be made of Q, and vice versa. We give examples of pairs of processes that are 
equivalent and examples of pairs that are inequivalent. 

In Section 4, we describe some techniques for proving contextual equivalence. 
We introduce a second operational semantics for the ambient calculus based on 
a hardening relation and a labelled transition system. The hardening relation 
identifies the subprocesses of a process that may participate in a computation 
step. We use the hardening relation both for defining the labelled transition sys- 
tem and for characterizing whether an ambient of a particular name is present at 
the top-level of a process. Our first result. Theorem 1, asserts that the r-labelled 
transition relation and the reduction relation are the same, up to structural con- 
gruence. So our two operational semantics are equivalent. The labelled transition 
system is useful for analyzing the possible evolution of a process, since we may 
read off the possible labelled transitions of a process by inspecting its syntactic 
structure. Our second result. Theorem 2 is a context lemma that allows us to 
prove contextual equivalence by considering a limited set of contexts, known 
as harnesses, rather than all arbitrary contexts. A harness is a context with a 
single hole that is enclosed only within parallel compositions, restrictions, and 
ambients. The third result of this section. Theorem 3, is an activity lemma that 
elaborates the ways in which a reduction may be derived when a process is in- 
serted into a harness: either the process reduces by itself, or the harness reduces 
by itself, or there is an interaction between the harness and the process. 

We exercise these proof techniques on examples in Section 5, and conclude 
in Section 6. 



2 The Ambient Calculus (Review) 

We briefly describe the syntax and semantics of the calculus. We assume there 
are infinite sets of names and variables, ranged over by m, n, p, q, and x, y, 
z, respectively. The syntax of the ambient calculus is based on categories of 
expressions and processes, ranged over by M, N, and F, Q, F, respectively. 
The calculus inherits a core of concurrency primitives from the 7r-calculus: a 
restriction {vn)P creates a fresh name n whose scope is F; a composition F | Q 
behaves as F and Q running in parallel; a replication IP behaves as unboundedly 
many replicas of F running in parallel; and the inactive process 0 does nothing. 
We augment these 7r-calculus processes with primitives for mobility — ambients. 
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n[P], and the exercise of capabilities, M.P — and primitives for communication — 
input, {x).P, and output, (M). 

Here is an example process that illustrates the new primitives for mobility 
and communication: 



rn\p[out m.in n.{M)^ | n{openp.{x).Q] 



The effect of the mobility primitives in this example is to move the ambient p 
out of m and into n, and then to open it up. The input {x).Q may then consume 
the output (M) to leave the residue m\\ | n[Q{x*^M)]. We may regard the 
ambients m and n in this example as modelling two machines on a network, and 
the ambient p as modelling a packet sent from m to n. Next, we describe the 
semantics of the new primitives in more detail. 

An ambient n[P] is a boundary, named n, around the process P. The bound- 
ary prevents direct interactions between P and any processes running in parallel 
with n[P], but it does not prevent interactions within P. Ambients may be 
nested, so they induce a hierarchy. For example, in the process displayed above, 
the ambient named m is a parent of the ambient named p, and the ambients 
named m and n are siblings. 

An action M.P exercises the capabilities represented by M, and then behaves 
as P. The action either affects an enclosing ambient or one running in parallel. A 
capability is an expression derived from the name of an ambient. The three basic 
capabilities are in n, out n, and open n. An action in n.P moves its enclosing 
ambient into a sibling ambient named n. An action out n.P moves its enclosing 
ambient out of its parent ambient, named n, to become a sibling of the former 
parent. An action open n.P dissolves the boundary of an ambient n[Q] running 
in parallel; the outcome is that the residue P of the action and the residue Q 
of the opened ambient run in parallel. In general, the expression M in M.P 
may stand for a finite sequence of the basic capabilities, which are exercised one 
by one. Finite sequences are built up using concatenation, written M.M' . The 
empty sequence is written e. 

The final two process primitives allow communication of expressions. Ex- 
pressions include names, variables, and capabilities. An output (M) outputs the 
expression M. An input (x).P blocks until it may consume an output running 
in parallel. Then it binds the expression being output to the variable x, and 
runs P. In {x).P, the variable x is bound; its scope is P. Inputs and outputs 
are local to the enclosing ambient. Inputs and outputs may not interact directly 
through an ambient boundary. Hence we may think of there being an implicit 
input /output channel associated with each ambient. 

We formally specify the syntax of the calculus as follows: 



Expressions and processes: 



M,N ::= 

X 

n 

in M 



expressions 

variable 

name 

can enter M 



P,Q,R::= 

{vn)P 

0 

P\Q 



processes 

restriction 

inactivity 

composition 





Equational Properties of Mobile Ambients 



215 



out M 


can exit M 


IP 


replication 


open M 


can open M 


M[P] 


ambient 


e 


null 


M.P 


action 


M.M' 


path 


{x).P 


input 






(M) 


output 



In situations where a process is expected, we often write just M as a short- 
hand for the process M.O. We often write just M[] as a shorthand for the process 
M[0]. We write {vp)P as a shorthand for {vpx) ■ ■ ■ {vpk)P where p — pi, . . . ,pk- 
We let fn{M) and fv{M) be the sets of free names and free variables, re- 
spectively, of an expression M. Similarly, fn(P) and fv(P) are the sets of free 
names and free variables of a process P. If a phrase (f> is an expression or a 
process, we write 4>{x-(^M} and 4>{n-(^M} for the outcomes of capture-avoiding 
substitutions of the expression M for each free occurrence of the variable x and 
the name n, respectively, in <j>. We identify processes up to consistent renaming 
of bound names and variables. 

We formally define the operational semantics of ambient calculus in the chem- 
ical style, using structural congruence and reduction relations: 



Structural Congruence: P ^ Q 



Fia = aiF 


P P 


(F|Q)|F=F|(Q|F) 


Q^P^P^Q 


JF = F 1 !F 


P^Q,Q^R^ P^R 


{vn){vm^P = {vm){vn)P 




n ^ fn{P) =► {vn){P | Q) = F | {vn)Q 


P ^ Q ^ {vn)P = {vn)Q 


n ^ m ^ (i/n)rn[P] = m[(m)F] 


F = a^F|F=Q|F 


F 1 0 = F 


F = Q^ !F= !Q 


(to)0 = 0 


P^Q^ M{P] = M[Q] 


!0 = 0 


P^Q^ M.P = M.Q 


e.F = F 


P ^ Q ^ (x).P = (x).Q 


(M.M').P ^ M.M'.P 

1 




Rednction: P ^ Q 



'n[in m.P | Q] | m[R] ^ m[n[P | Q] | K] P P\R^Q\R 

rn[n[out m.P I Q] I .R] ^ n[P I Q] I m[R] P ^ Q ^ {vn)P ^ {vn)Q 

open n.P | n[Q] P \ Q P ^ Q ^ n[P] ^ n[Q] 

(M) I (x).P ^ P{x^M} P' ^ P,P ^ Q,Q ^Q' ^ P' ^ Q' 



For example, the process displayed earlier has the following reductions: 



m\p[out m.in n.{M)f\ | n[openp.{x).P] ^ mQ 

^ mO 
^ m|] 
^ m|] 



p[inn.{M)] \n[openp.{x).P] 
n\p[{M)] I openp.{x).P] 
n[{M) I (x).F] 
n[P{x^M}] 
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The syntax allows the formation of certain processes that may not participate 
in any reductions, such as the action n.P and the ambient (inn)[P]. The presence 
of these nonsensical processes is harmless as far as the purposes of this paper 
are concerned. They may be ruled out by a simple type system [7]. 

This concludes our brief review of the calculus. An earlier paper [6] explains in 
detail the motivation for our calculus, and gives several programming examples. 

3 Contextual Equivalence 

Morris-style contextual equivalence [14] (otherwise known as may-testing equiva- 
lence [8]) is a standard way of saying that two processes have the same behaviour: 
two processes are contextually equivalent if and only if they admit the same ele- 
mentary observations whenever they are inserted inside any arbitrary enclosing 
process. In the setting of the ambient calculus, we shall define contextual equiv- 
alence in terms of observing the presence, at the top-level of a process, of an 
ambient whose name is not restricted. 

Let us say that a process P exhibits a name n just if F is a process with a 
top-level ambient named n, that is not restricted: 

Exhibition of a Name: F j, n 

Pin = there are m, F', F" with n ^ {m} and F = (vm)(n[P'] | F") 



Let us say that a process F converges to a name n just if after some number 
of reductions, F exhibits n: 

Convergence to a Name: P i^n 

I 1 

(Conv Exh) (Conv Red) 

Pin P ^ Q QJJ.fl 
F JJ. n F JJ. fi 



Next, let a context, C(), be a process containing zero or more holes. We write 
a hole as (). We write C(P) for the outcome of filling each of the holes in the 
context C with the process F. Variables and names free in F may become bound 
in C(F). For example, if F = n[{x)] and C() = {vn){x).{), the variable x and the 
name n have become bound in C(F) = {vn){x) .n[{x)]. Hence, we do not identify 
contexts up to renaming of bound variables and names. 

Now, we can formally define contextual equivalence of processes: 

Contextual Equivalence: F ~ Q 

I I 

F ~ Q = for all contexts C() and names n, C{P) JJ. n O C(Q) JJ. n 



The following two propositions state some basic properties enjoyed by con- 
textual equivalence. Let a relation F be a preeongruenee if and only if, for all 
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F, Q, and C{), if P TZ Q then C(P) TZ C(Q). If, in addition, TZ is reflexive, 
symmetric, and transitive, we say it is a congruence. For example, the structural 
congruence relation has these properties. Moreover, by a standard argument, so 
has contextual equivalence: 

Proposition 1. Contextual equivalence is a congruence. 

Structural congruence preserves exhibition of or convergence to a name, and 
hence is included in contextual equivalence: 

Lemma 1. Suppose F = Q. // F n then Q n. Moreover, if P n then 
QJJ.fl with the same depth of inference. 

Proposition 2. If P ^ Q then P c:i Q. 

The following two examples illustrate that to show that two processes are 
contextually inequivalent, it suffices to find a context that distinguishes them. 

Example 1. If m ^ n then m\} qk fi[]. 

Proof. Consider the context C() = (). Since = m,\\, we have C(m[|) I 

m. By (Conv Exh), C{m\\) JJ- m. On the other hand, the process fi[] has no 
reductions, and does not exhibit m. Hence, we cannot derive C(n[]) ifm,. □ 

Example 2. If m ^ n then open m.O ^ open n.O. 

Proof Let CQ — m,\p[]] | (). Then C(openm.O) ifp but not C(openn.O) ifp. □ 

On the other hand, it is harder to show that two processes are contextually 
equivalent, since one must consider their behaviour when placed in an arbitrary 
context. For example, consider the following contextual equivalence: 

Example 3. {vn){n\\ | open n.P) ~ F if n ^ fn{P). 

The restriction of the name n in the process {vn){n\\ | open n.P) implies that 
no context may interact with this process until it has reduced to F. Therefore, 
we would expect the equation to hold. But to prove this and other equations 
formally we need some further techniques, which we develop in the next section. 
We return to Example 3 in Section 5. 



4 Tools for Proving Contextual Equivalence 

The tools we introduce are relations and theorems that help prove contextual 
equivalence. 
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4.1 A Hardening Relation 

In this section, we define a relation that explicitly identifies the top-level sub- 
processes of a process that may be involved in a reduction. This relation, the 
hardening relation, takes the form. 



P > {vpi,...,pk){P')P" 



where the phrase {vpi, . . . ,pk){P')P" is called a concretion. We say that P' is 
the prime of the concretion, and that F" is the residue of concretion. Both F' 
and P" lie in the scope of the restricted names pi, . . . , Pk- The intuition is that 
the process F, which may have many top-level subprocesses, may harden to a 
concretion that singles out a prime subprocess F', leaving behind the residue 
F". By saying that P' has a top-level occurrence in F, we mean that F' is a 
subprocess of F not enclosed within any ambient boundaries. In the next section, 
we use the hardening relation to define an operational semantics for the ambient 
calculus in terms of interactions between top-level occurrences of processes. 

Concretions were introduced by Milner in the context of the 7r-calculus [10]. 
For the ambient calculus, we specify them as follows, where the prime of the 
concretion must be an action, an ambient, an input, or an output: 



Concretions: 



C,D::= 

{vp){M.P)Q 

{viP){n[P])Q 

{vp){{x).P)Q 

inp){{M))Q 



1 

concretions 

action, M £ {in n, out n, open n} 

ambient 

input 

output 

I 



The order of the bound names pi , . . . , p* in a concretion {vpi pk) {P')P" 
does not matter and they may be renamed consistently. When k = 0, we may 
write the concretion as (u){P')P" . 

We now introduce the basic ideas of the hardening relation informally. If F 
is an action inn.Q, outn.Q, openn.Q, an ambient n[Q], an input {x).Q, or an 
output (M), then F hardens to (i'){P)0. Consider two processes F and Q. If 
either of these hardens to a concretion, then their composition F | Q may harden 
to the same concretion, but with the other process included in the residue of the 
concretion. For example, if F > {v){Pi)p 2 then F | Q > {v){Pi){p 2 | Q). If 
a process F hardens to a concretion, then the replication !F may harden to 
the same concretion, but with IP included in the residue of the concretion — a 
replication is not consumed by hardening. Finally, if a process F harde ns to a 
concretion C, then the restriction {vn)P hardens to a concretion written {vn)C, 
which is the same as C but with the restriction {vn) inclu ded e ither in the list 
of bound names, the prime, or the residue of C. We define {vn)C by: 

Restricting a concretion: {vn)C where C = {vp){Pi)p 2 and n ^ {p} 



(1) If n G/n(Fi) then: 
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(a) If Pi = m[Pl], m ^ n, and n ^ fn{Pz), let {vn)C = {vp){rn[{vn)P[])Pz. 

(b) Otherwise, let {vn)C = {vn,p){Pi)Pz. 

(2) If n ^ fn{Pi) let JU^C = {v^{Pi){vn)Pz. 



Next, we define the hardening relation by the following: 



Hardening: P > C 

(Harden Action) (Harden e) 

M £ {in n, out n, open n} P > C 
M.P > (i'){M.P)0 e.P > C 



(Harden .) 
M.(N.P) > C 
(M.N).P > C 



(Harden Amb) (Harden Input) 



(Harden Output) 



n[P] > (i'){n[P]}0 (x).P > (p){(x).P)0 {M} > {i'){{M)}0 

(Harden Par 1) (for {p} Dfn(Q) = 0) (Harden Par 2) (for {q{ Dfn(P) = 0) 
P > {vp){P')P" Q > {vq){Q')Q" 

P\Q> {vi^{P'){P" IQ) F I Q > {vc^{Q'){P I Q") 

(Harden Repl) (Harden Res) 

F> {vj){P')P" P>C 

IP > {i'p){P'){P" I IP) {vn)P > {vn)C 



For example, the process P = {i'p)(i'q)(n\p\]] | g[]) may harden in two ways: 

F > ii')in[ii'p)p[]])(i'q)iO I g[]) 

F > iieq){q[])ivp)in\p\\] | 0) 

The next two results relate hardening and structural congruence. 

Lemma 2. If P > {vp){P')P" then P = {vp){P' | P"). 

Proposition 3. If P ^ Q and Q > {vr){Q')Q” and then there are P' and F" 
with P > {vr){P')P” , P' = Q' , and F" = Q". 

These results follow from inductions on the derivations of F > {vp){P')P" 
and P ^ Q, respectively. Using them, we may characterize exhibition of a name 
independently of structural congruence: 

Proposition 4. P fn if and only if P > (i'p){n[P']}P'' and n ^ {p}. 

Now, we can show that the hardening relation is image-finite: 

Lemma 3. For all P, {C : P > C} is finite. 

The proof of this lemma is by induction on the structure of F, and suggests 
a procedure for the enumerating the set {C : P > C}. Given Proposition 4, it 
follows that the predicate P fn is decidable. 
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4.2 A Labelled Transition System 

The labelled transition system presented in this section allows for an analysis 
of the possible reductions from a process P in terms of the syntactic structure 
of P. The definition of the reduction relation does not directly support such an 
analysis, because of the rule P' ^ P, P ^ Q,Q ^ Q' ^ P' ^ Q' , which allows 
for arbitrary structural rearrangements of a process during the derivation of a 
reduction. 

We define a family of transition relations P Q, indexed by a set of labels, 
ranged over hy a ::= r \ inn \ out n | open n. An M-transition P Q means 
that the process P has a top-level process exercising the capability M; these 
transitions are defined by the rule (Trans Cap) below. A r-transition P Q 
means that P evolves in one step to Q; these transitions are defined by the other 
rules below. 

Labelled transitions: P P' where a ::= r | inn \ out n | open n 

I 1 

(Trans Amb) (Trans Cap) 

P> inp){n[Q]}P' Q^Q' P > (np) {M.P')P" fn(M) n {0} = 0 
P ^ inp)in[Q'] I F') F A inp}{P' | P") 

(Trans In) (where {r} nfn(n[Q]) = 0 and {r} n = 0) 

F > (np){n[Q]}R Q A Q' R> inr){m[R']}R" 

P A- (np,r)(m[n[Q'] | R'] | F") 

(Trans Out) (where n ^ {^) 

F > {vp){n[Q])P' Q > {n^{m[R])Q' R R' 

P A (np)((n^(m[R'] | n[Q']) \ P') 

(Trans Open) (Trans I/O) (where nfn({M}) = 0) 

P > inp){n[Q]}P' P' F" F > {vp){{M))P' P' > {vq){{x).P")P"' 

P A {vp){Q I P") P A {v^P' I {v^{P"{x^M} I F'")) 



The rules (Trans In), (Trans Out), and (Trans Open) derive a r-transition 
from an M-transition. We introduced the M-transitions to simplify the state- 
ment of these three rules. (Trans I/O) allows for exchange of messages. (Trans 
Amb) is a congruence rule for r-transitions within ambients. 

Given its definition in terms of the hardening relation, we may analyze the 
transitions derivable from any process by inspection of its syntactic structure. 
This allows a structural analysis of the possible reductions from a process, since 
the r-transition relation corresponds to the reduction relation as in the following 
theorem, where F A-= Q means there is F with F A- F and R^Q. 

Theorem 1. P ^ Q if and only if P — Q. 

As corollaries of Theorem 1 and Lemma 4, we get that the transition system 
is image-finite, and that the reduction relation is image-finite up to structural 
congruence: 
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Lemma 4. For all P and a, the set {B, : P B,} is finite. 
Lemma 5. For all P, the set {{i? : Q ^ B} : P ^ Q} is finite. 



4.3 A Context Lemma 

The context lemma presented in this section is a tool for proving contextual 
equivalence by considering only a limited set of contexts, rather than all contexts. 
Many context lemmas have been proved for a wide range of calculi, starting with 
Milner’s context lemma for the combinatory logic form of PCF [9]. 

Our context lemma is stated in terms of a notion of a harness: 

Harnesses 



■= 


harnesses 


- 


process variable 


{vn)P[ 


restriction 


P 1 H 


left composition 


H\Q 


right composition 


n[H] 


ambient 



Harnesses are analogous to the evaluation contexts found in context lemmas 
for some other calculi. Unlike the contexts of Section 3, harnesses are identified 
up to consistent renaming of bound names. We let fn{H) and fv{H) be the 
sets of names and variables, respectively, occurring free in a harness il. There 
is exactly one occurrence of the process variable — in any harness. If H is an 
harness, we write H{P} for the outcome of substituting the process P for the 
single occurrence of the process variable -. Names restricted in H are renamed 
to avoid capture of free names of P. For example, if il = {vn){- | open n) then 
H{n\}} = (to')(u[| I openn') for some n' ^ n. 

Let a substitution., a, be a list . . . , where the variables xi, 

. . . , Xk are pairwise distinct, and fv(Mi) = 0 for each i £ l..k. Let dom(a) = 
{xi,. . . , Xk}. Let Pa be the process ■ ■ ■ {xk-^Mk}. Let a process or 

a harness be closed if and only if it has no free variables (though it may have 
free names). 

Here is our context lemma: 

Theorem 2 (Context). For all processes P and Q, P 'li Q if and only if for 
all substitutions a with dom(a) = fv(P) Ufv(Q), and for all closed harnesses H 
and names n, that H{Pa} JJ- u H{Qa} JJ. n. 

A corollary is that for all closed processes P and Q, F ~ Q if and only if for 
all closed harnesses H and names n, that H{P} JJ- u H{Q} JJ. n. 

hi general, however, we need to consider the arbitrary closing substitution a 
when using Theorem 2. This is because a variable free in a process may become 
bound to an expression once the process is placed in a context. For example, let 
F = x[n\\] I openy.O and Q = 0. Consider the context C() = (m,m) | (x,y).(). 
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We have C(F) JJ- n but not C{Q) ij-n. So P and Q are not contextually equivalent 
but they do satisfy H{P} JJ- u H{Q} JJ- n for all closed H and n. 

Some process calculi enjoy stronger context lemmas. Let processes P and Q 
be parallel testing equivalent if and only if for all processes R and names n, that 
P\Rij.n-^Q\Rij-n. We might like to show that any two closed processes are 
contextually equivalent if and only if they are parallel testing equivalent. This 
would be a stronger result than Theorem 2 because it would avoid considering 
contexts that include ambients. Such a result is true for CCS [8], for example, 
but it is false for the ambient calculus. To see this, let P = out p.O and Q = 0. 
We may show that F | F JJ. u Q | F JJ. u for all u and F. Now, consider the 
context C{) — p[m[()]]. We have C(F) JJ. m but not C(0) JJ- m. So F and Q are 
parallel testing equivalent but not contextually equivalent. 



4.4 An Activity Lemma 

When we come to apply Theorem 2 we need to analyze judgments of the form 
H{P} \,n OT H{P} ^ Q. In this section we formalize these analyses. 

We begin by extending the structural congruence, hardening, and reduction 
relations to harnesses as follows: 

- Let F = F' hold if and only if F{F} = H'{P} for all F. 

- Let F > (i/p){H')Q hold if and only if F{F} > (i/p){H' {P})Q for all F 
such that {p} nfn(P) = 0. 

- Let F > {v^{Q)H' hold if and only if F{F} > {vfP){Q){p[' {P}) for all F 
such that {p} nfn(P) = 0. 

- Let F ^ F' hold if and only if, for all F, F{F} ^ F'{F}. 

We need the following lemma about hardening: 

Lemma 6. If H{P} > C then either: 

(1) F > {vr}{H')R and C = {vr){H' {P})R, or 

(2) H > {nr){R}H' and C = (i^r)(F)(F'{F}), or 

(3) F > {vr^{^)R, P > {vp){P')P'', C = {vr,p){P')R' with R' = P" | F, 
where in eaeh case {r} nfn,(P) = 0. 

Proposition 5. //F{F} f n then either (1) H{Q} j, n for all Q, or (2) P f n, 
and for all Q, Q fn implies that H{Q} j. n. 

Proof By Proposition 4, F{F} f n means there arep, F', P" such that F{F} > 
(i'p){n[P']}P” with n ^ {p}. Hence, the proposition follows from Lemma 6. □ 

Intuitively, there are two ways in which F{F} f n can arise: either the 
process F exhibits the name by itself, or the harness F exhibits the name n 
by itself. Proposition 5 formalizes this analysis. Similarly, there are three ways 
in which a reduction F{F} ^ Q may arise: either (1) the process F reduces 
by itself, or (2) the harness F reduces by itself, or (3) there is an interaction 
between the process and the harness. Theorem 3 formalizes this analysis. Such 
a result is sometimes known as an activity lemma [15]. 
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Theorem 3 (Activity). H{P} R if and only if: 

(Act Proc) there is a reduetion P ^ P' with R. = H{P'}, or 
(Act Har) there is a reduetion H ^ H' with R = H'{P}, or 
(Act Inter) there are H' and r with {r} nfn(P) = 0, and one of the following 
holds: 

(Inter In) H = (nPiH'{mh I R'] I P P' , 

and R = {vr)H' {n[m[P' | R'] | R"]} 

(Inter Ont) H = (i/r)H' {n[m[-- | i?'] | -R"]}? P P' , 

and R = (nP)H'{m[P' | R'] | n[R"]} 

(Inter Open) H = (vr)p [' I n[R']}, P P', 
and R = (nr)H'{P' | R'} 

(Inter Inpnt) H = | {M}}, P > {vp}{{x).P')P" , 

and R = {vP)P[' {{vp){P' {x-(^M} | P”)}, with {p} Dfn{M) = 0 
(Inter Ontpnt) H = {nr)H'{— | (x).R'}, P > {vp){{M))P' , 
and R = (nr)H' {(i/p)(P' | R'{x-<^M})}, with {p} nfn(R') = 0 
(Inter Amb) P > (np) {n[Q]) P' and one of the following holds: 

(1) Q Q' , H = (i/r)H'{- I m[R']}, {p} T\ fn{m,[R!]) = 0, 

and R = {vr)P['{{vp){P' \ m,[n[Q'] | R'])} 

(2) Q Q', H = inf)H'{m[^ | R']}, m f {p}, 
and R = (i'P}H'{{i/p)(n[Q'] | m[P' | R'])} 

(3) H = (i/r)H'{m[R' | inn.R''] | -}, {p\ r\fn{m,[Rj | inn.R!']) — 0, 
and R = (i'r^H'{{i'p)(n[Q \ m[R' | R"]] | R')} 

(4) H = (i/r}H'{- I openn.R'}, n ^ {p}, 
and R = {nf^H'{{np){Q | P') | R'} 



5 Examples of Contextual Equivalence 

In this section, two examples demonstrate how we may apply Theorem 2 and 
Theorem 3 to establish contextual equivalence. 

5.1 Opening an Ambient 

We can now return to and prove Example 3 from Section 3. 

Lemma 7. If H{{i/n)(nW | open n.P)} JJ- m and n ^ fn{P) then R{P} JJ' w. 

Proof By induction on the derivation of H{(i'n)(n\} | open n.P)} JJ- m, with 
appeal to Propositions 4 and 5, and Theorems 1 and 3. □ 

Proof of Example 3 {i'n){n\] | open n.P) ~ R if n ^ fn{P). 

Proof By Theorem 2, it suffices to prove H{((nn)(n\} | open n.P))a} if m ^ 
H{Pa} JJ- m for all closed harnesses H and names m and for all substitutions 
a with dom(a) = fv(P). Since the name n is bound, we may assume that n ^ 
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fn{a{x)) for all x G dom{a). Therefore, we are to prove that: H{{vn){n'\\ | 
open n.Pa} JJ- m 4^ H{Pa} JJ- m where n ^ fn(Pa). 

We prove each direction separately. First, suppose that H{Pa} JJ- m. Since 
(pn)(n\] I open n.Pa) ^ Pa, we get H{{pn)(n[] | open n.Pa)} ^ H{Pa}. 
By (Exh Red), we get H{{nn)(n[] | open n.Pa)} JJ- m. Second, suppose that 
H{(nn)(n\] | open n.Pa)} JJ- m. By Lemma 7, we get H{Pa} i}m. □ 

5.2 The Perfect Firewall Equation 

Consider a process (nn)n[P] , where n is not free in P. Since the name n is known 
neither inside the ambient n[P], nor outside it, the ambient n[P] is a “perfect 
firewall” that neither allows another ambient to enter nor to exit. The following 
two lemmas allow us to prove that {vn)n[P] is contextually equivalent to 0, when 
n ^ fn(P), which is to say that no context can detect the presence of (nn)n[P]. 

Lemma 8. If H {{vn)n[P]} JJ- m and n ^ fn{P) then i?{0} JJ- m. 

Proof By induction on the derivation of H{(nn)n[P]} JJ- m. 

(Conv Exh) Here H{{yn)n[P]} m. By Proposition 5, either (1), for all Q, 
H{Q} 4- m, or (2), (nn)n[P] m. In case (1), we have, in particular, that 
H{0} fm. Hence, H{0} JJ- m, by (Conv Exh). Case (2) cannot arise, since, 
by Proposition 4, (nn)n[P] i m implies that (nn)n[P] > (np){m[P']}P'' with 
m ^ {p}, which is impossible. 

(Conv Red) Here H{(nn)n[P]} ^ R and Rifm. By Theorem 3, one of three 
cases pertains: 

(Act Proc) Then (nn)n[P] ^ P" with R = H{P”}. By Theorem 1, there 
is Q with (nn)n[P] Q and Q = P" . Since (nn)n[P] > (nn){n[P])0 is 
the only hardening derivable from (nn)n[P], the transition (nn)n[P] 

Q can only be derived using (Trans Amb), with P — ^ P' and Q = 
(vn){n[P'] I 0). Therefore, there is a reduction P ^ P' and F" = 
(nn)n[P']. We may show that P ^ P' implies fn(P') C fn(P), and so 
n ^ fn(P'). We have R = H{(nn)n[P']} with n ^ fn(P'). By Lemma 1, 
we may derive H{(vn)n[P']} JJ- m by the same depth of inference as 
Rif m. By induction hypothesis, H{0} JJ- m. 

(Act Har) Then H ^ H' with R = H' }{vn)n[P]} . By Lemma 1, we may 
derive H' {{yn)n[P]} JJ- m by the same depth of inference as Rif m. By 
induction hypothesis, F'{0} JJ- m. From H ^ H' we obtain H{0} ^ 
Ff'{0} in particular. By (Conv Red), we get H{0} JJ. m. 
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(Act Inter) Then there are H' and r with {f} (1 fn(P) — 0 and one of 
several conditions must hold. Since the only hardening or transition from 
(vn)n[P] is (i'n)n[P] > (i/n){n[P])0, only the rule (Inter Amb) applies. 
According to Theorem 3, there are four possibilities to consider. 

(1) Here, P P', H = | {n} n/h(m[i?']) = 0, and 

R = {vr)H' {(vn){0 | m[n[P'] | R'])}- We have R = H' {m[R' | 
(i/n)n[P']]} and that n f fn(P'). By Lemma 1, we get (i/r) H' {m[R' | 
(vn)n[P']]} JJ. m with the same depth of inference as R ij- m. By 
induction hypothesis, (i/r)H' {m[R' | 0]} JJ- m. Moreover, H{0} = 
(i/f)H'{m[R' I 0]}, and therefore H{0} JJ- m. 

(2) Here, P P', H = (i/f)H'{m[- | R']}, m ^ {n}, and also 
R, = {vf^P[' {{vn){n[P'] | m[0 | R'])}- We have R = (i/r)H'{m[R'] | 
(i/n)n[P']} and that n ^ fn(P'). By Lemma 1, we get (i/f)H'{m[R'] | 
(pn)n[P']} JJ. m with the same depth of inference as i? JJ- m. By 
induction hypothesis, (i/r)H' {m[R'] | 0} JJ- m. Moreover, H{0} = 
(vr) H' {m[R'] | 0} and therefore H{0} ij-m. 

The other possibilities, (3) and (4), are ruled out because the name n is 
restricted in the concretion (i/n){n[P]}0. □ 

By a similar induction, we can also prove: 

Lemma 9. If H{0} i}. m then H{P} i}, m. 

By combining Theorem 2, Lemmas 8 and 9, we get: 

Example f. If n ^ fn{P) then {vn)n[P] ~ 0. 

Our first proof of this equation (which was stated in an earlier paper [6]) was 
by a direct quantification over all contexts. The proof above using the context 
lemma is simpler. 

6 Conclusions 

We developed a theory of Morris-style contextual equivalence for the ambient 
calculus. We showed that standard tools such as a labelled transition system, a 
context lemma, and an activity lemma, may be adapted to the ambient calculus. 
We introduced a new technique, based on a hardening relation, for defining 
the labelled transition system. We employed these tools to prove equational 
properties of mobile ambients. 

Our use of concretions to highlight those subprocesses of a process that may 
participate in a computation follows Milner [10, 11], and is an alternative to the 
use of membranes and airlocks in the chemical abstract machine of Berry and 
Boudol [5]. Unlike these authors, in the definition of our transition relation we 
use the hardening relation, rather than the full structural congruence relation, to 
choose subprocesses to participate in a transition. Hardening is more convenient 
in some proofs, such as the proof that the labelled transition system is image- 
finite, Lemma 4. 
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In the future, it would be of interest to study bisimulation of ambients. 
Various techniques adopted for higher-order [ 13 , 17 ] and distributed [ 4 , 3 , 16 ] 
variants of the 7r-calculus may be applicable to the ambient calculus. 

Acknowledgement Comments by Cedric Fournet, Georges Gonthier, and Tony 
Hoare were helpful. 



References 

1. M. Abadi, C. Fournet, and G. Gonthier. Secure implementation of channel ab- 
stractions. In Proceedings LICS’98, pages 105-116, 1998. 

2. M. Abadi and A. D. Gordon. A calculus for cryptographic protocols: The spi cal- 
culus. Information and Computation. To appear. An extended version appears as 
Digital Equipment Gorporation Systems Research Genter report No. 149, January 
1998. 

3. R. M. Amadio. An asynchronous model of locality, failure, and process mobility. 
In Proceedings COORDINATION 97, volume 1282 of Lecture Notes in Computer 
Science. Springer- Verlag, 1997. 

4. R. M. Amadio and S. Prasad. Localities and failures. In Proceedings FST&TCSTf, 
volume 880 of Lecture Notes in Computer Science, pages 205-216. Springer- Verlag, 

1994. 

5. G. Berry and G. Boudol. The chemical abstract machine. Theoretical Computer 
Science, 96(l):217-248, April 1992. 

6. L. Gardelli and A. D. Gordon. Mobile ambients. In Proceedings FoSSaCS’98, vol- 
ume 1378 of Lecture Notes in Computer Science, pages 140-155. Springer- Verlag, 

1998. 

7. L. Gardelli and A. D. Gordon. Types for mobile ambients. In Proceedings POPL’99, 

1999. To appear. 

8. R. De Nicola and M. G. B. Hennessy. Testing equivalences for processes. Theoretical 
Computer Science, 34:83-133, 1984. 

9. R. Milner. Fully abstract models of typed lambda-calculi. Theoretical Computer 
Science, 4:1-23, 1977. 

10. R. Milner. The polyadic 7r-calculus: A tutorial. Technical Report EGS-LFGS-91- 
180, Laboratory for Foundations of Gomputer Science, Department of Gomputer 
Science, University of Edinburgh, October 1991. 

11. R. Milner. The 7r-calculus. Undergraduate lecture notes, Gambridge University, 

1995. 

12. R. Milner, J. Parrow, and D. Walker. A calculus of mobile processes, parts I and 
II. Information and Computation, 100:1-40 and 41-77, 1992. 

13. R. Milner and D. Sangiorgi. Barbed bisimulation. In Proceedings ICALP’92, 
volume 623 of Lecture Notes in Computer Science. Springer- Verlag, 1992. 

14. J. H. Morris. Lambda- Calculus Models of Programming Languages. PhD thesis, 
MIT, December 1968. 

15. G. D. Plotkin. LGF considered as a programming language. Theoretical Computer 
Science, 5:223-255, 1977. 

16. J. Riely and M. Hennessy. A typed language for distributed mobile processes. In 
Proceedings POPL’98, pages 378-390, 1998. 

17. D. Sangiorgi. Expressing Mobility in Process Algebras: First-Order and Higher- 
Order Paradigms. PhD thesis. University of Edinburgh, 1992. Available as Techni- 
cal Report GST-99-93, Gomputer Science Department, University of Edinburgh. 




Model Checking Logics for 
Communicating Sequential Agents* 



Michaela Huhn^ and Peter Niebert'-^ and Frank Wallner^ 



Institut fur Rechnereiitwurf und Pehlertoleranz (Prof. D. Schmid), 
Uiiiv. Karlsruhe, Postf. 6980, D-76128 Karlsruhe, huhn@ira.uka.de 
^ VERIMAG, 2, av. de Vignate, 38610 Gieres, France, niebert@imag.fr 
® Institut fur Informatik, Technische Universitat Miinchen, D-80290 Miinchen, 

wallnerf @in . turn . de 



Abstract. We present a model checking algorithm for £csa, a tem- 
poral logic for communicating sequential agents (GSAs) introduced by 
Lodaya, Ramanujam, and Thiagarajan. Ccsa contains temporal modali- 
ties indexed with a local point of view of one agent and allows to refer to 
properties of other agents according to the latest gossip which is related 
to local knowledge. 

The model checking procedure relies on a modularisation of Ccsa into 
temporal and gossip modalities. We introduce a hierarchy of formulae 
and a corresponding hierarchy of equivalences, which allows to compute 
for each formula and finite state distributed system a finite multi modal 
Kripke structure, on which the formula can be checked with standard 
techniques. 



1 Introduction 

A reasonable and lucid way of formally treating distributed systems is to con- 
sider them as a fixed collection of sequential components (agents) which can 
operate independently as well as cooperate by exchanging information. There is 
an increasing awareness, both in theory and practice, of the benefits of specify- 
ing the requirements of such systems by localised, component based formalisms, 
that allow to refer to properties of the individual components. 

The operational models for localised specification usually consist of local 
temporal orders (sequences in the linear time case, trees in branching time) 
together with an interrelation between these orders, descended from communi- 
cation [LRT92,Ram95] . The most established models for the linear time case are 
partial orders, whereas in the branching time setting, (prime) event structures 
or closely related models like occurrence nets [NPW80,Win87] have been recog- 
nised to be a suitable formalism. In these models, partial orders are extended 
by an additional conflict relation, representing the moments of choice. 
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Investigating partial order models has attained the interest of researchers for 
mainly two reasons: There is no distinction among computations that are equal 
up to possible total orderings of independent actions, which makes it a faithful 
and natural formalism for representing concurrency. Furthermore, restricting 
the attention to local states mitigates one of the most tackled difficulty of model 
checking, the so-called state explosion problem, which results from an explicit 
computation of the global state space of a distributed system. 

For a component-oriented specification of behaviour, local linear time tem- 
poral logics have been investigated by Thiagarajan in [Thi94,Thi95] and Niebert 
[Nie98]. Local branching time logics were introduced in [LT87,LRT92,HNW98b]. 
While for the linear time case there now exist sound model checking procedures 
based on automata [Thi94,Nie98], only recently the model checking problem for 
local branching time logics has been inspected [Pen97,HNW98b]. 

In this paper, we investigate model checking for a local branching time logic 
defined by Lodaya, Ramanujam and Thiagarajan in [LRT92], here called CcsA, 
which is intended to specify the behaviour of eommunieating sequential agents 
(CSAs). It allows a component i to refer to local properties of another component 
j according to the latest gossip (in [LRT92] also called local knowledge), i.e., the 
most recent j-local state that causally precedes the current i-local state. 

Based on net unfoldings [Eng91] and McMillan’s finite prefix construction 
[McM92], we solve the model checking problem for CcsA, which remained open 
since [LRT92]. 

McMillan’s prefix has successfully been applied to alleviate state explosion in 
many verification problems, for instance deadlock detection [McM92], and model 
checking S4 [Esp94], LTL [Wal98], and the distributed ^-calculus [HNW98b]. All 
of the previous problems principally can be solved with conventional state space 
exploration, but often with an exponentially higher effort. 

The focus of this paper is to show decidability of model checking Ccsa- 
Generalising the techniques of [HNW98b], we demonstrate that the unfolding 
approach is very suitable for model checking a wider class of local logics, for 
which previously the problem appeared to be too difficult. 

Technically, we proceed as follows: We lift the semantics of Ccsa from CSAs 
onto net unfoldings, and factorise the net unfolding with respect to an equiv- 
alence relation satisfying two key properties: It is a congruence for the Cqsa- 
specification to be checked, and it has finite index. Ala this factorisation, the 
Ccsa model checking problem can be transformed into a model checking problem 
for a multi modal logic on a finite transition system constructed upon a modified 
McMillan prefix, using the defined equivalence relation as cutoff condition. With 
an appropriate interpretation of the Ccsa modalities, standard model checking 
algorithms, e.g. [CES86], can be applied on this transition system. 

The approach follows the lines of [HNW98b], but whereas the focus there was 
to derive an algorithm for calculating the transition system, the main difficulty 
here is to develop an appropriate equivalence relation. The modalities of the 
distributed /i-calculus of [HNW98b] are purely future oriented, while the past 
and also the gossip modalities of Ccsa may lead to rather complex patterns 
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within the past of a configuration. As a consequence, the coarsest equivalence 
preserving all Cqsa properties has non-finite index and it is not possible to con- 
struct a single (finite-state) transition system representing all Cqsa properties of 
a particular finite state distributed system. However, a single Cqsa formula has 
a limited power of referring to the past so that we can construct an equivalence 
depending on the formula. For this purpose, we introduce a syntactic hierar- 
chy of formulae and a corresponding equivalence hierarchy. The construction of 
these equivalences and the proof of their soundness are both complex, and the 
resulting model checking complexity of the construction given here is high. 

The technical presentation of the paper relies on notions from Petri net the- 
ory, mainly to correspond directly to McMillan’s prefix. Note however, that the 
entire method can easily be restated for other formalisms, like e.g. asynchronous 
automata, coupled finite state machines, and so forth. 

The paper is structured as follows. In Section 2 we introduce distributed 
net systems, and their unfoldings as semantic model of branching behaviour. In 
Section 3 we introduce the logic Cqsa and our slightly generalised version C. In 
Section 4 we present McMillan’s finite prefix, and parameterise its definition by 
an abstract equivalence relation. Then we develop an appropriate equivalence 
for C. In Section 5 we use this equivalence to compute a finite state transition 
system, on which the model checking problem for C can be solved by conventional 
model checkers. In Section 6, we discuss our results and indicate future work. 

2 Distributed net systems and their unfoldings 

Petri nets. Let P and T be disjoint, finite sets of places and transitions, 
generically called nodes. A net is a triple N = (P, T, F) with a flow relation 
FC (FxT) U (TxF). The preset of a node X is defined as *x:={yEPUT lyFx} 
and its postset as x* := {?/ G F U F | xFy}. The preset (resp. postset) of a set X 
of nodes is the union of the presets (resp. postsets) of all nodes in X. 

A marking of a net is a mapping M : P ^ Kq. If M(p) = n, we say that 
p contains n tokens at M. A net system X = (N, Mq) consists of a net N, and 
an initial marking Mq. The marking M enables the transition t if every place in 
the preset of t contains at least one token. In this case the transition can occur. 
If t occurs, it removes one token from each place p £ *t and adds one token to 
each place p' G t*, yielding a new marking M'. We denote this occurrence by 
M M'. If there exists a chain Mq Mi ^ M„ for n > 0, then 

the marking M„ is a reachable marking. 

We will restrict our attention to 1-safe net systems, in which every reachable 
marking M puts at most one token on each place, and thus can be identified by 
the subset of places that contain a token, i.e., M C F. 

In the last years, 1-safe net systems have become a significant model [CEP95]. 
In [NRT90] it has been shown that an instance of 1-safe nets, called Elementary 
Net Systems, correspond to other models of concurrency, such as (Mazurkiewicz) 
traces and prime event structures. They can naturally be interpreted as a syn- 
chronised product of several finite automata, and thus they are frequently used 
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as a convenient formalism for modelling distributed systems. In the following we 
will exploit this compositional view by considering the notion of locations. 

Distributed net systems. Let us introduce the formalism for describing dis- 
tributed systems. Clearly, the behaviour of our models shall resemble the Com- 
municating Sequential Agents of [LRT92]. This means, a system consists of sev- 
eral distributed, autonomous agents, which mutually communicate. Each of the 
agents shall behave strictly sequentially, and non-deterministically. 

Let 27 be a 1-safe net system, and t, t’ two transitions of 27. A marking M 
concurrently enables t and t' if M enables t, and (M \ *t) enables t'. We call 27 
sequential if no reachable marking concurrently enables two transitions. 

Let {27j = {Pi,Ti,Fi,Mf)\i G Loc} be a family of 1-safe, sequential net 
systems (called agents, or components) with pairwise disjoint sets Pi of places, 
indexed by a finite set Loc of locations. Note that the sets of transitions are not 
necessarily disjoint. In fact, we will interpret the execution of a transition that 
is common to several agents as a synchronous communication action of these 
agents, i.e., the communication capabilities are given by the common execution 
of joint transitions. Formally, a distributed net system Sloc = AIq) is defined 
as the union of its components 27,: 

P^ [j Pi, [j Ti, [j Fi, Mo = y Mf . 

iOCoc iOCoc iOCoc iOCoc 

Clearly, 27i„c is again 1-safe. The location loc{x) of a node x is defined by 
Ioc(x) := {i G Loc\x G Pi UT(.}. A simple distributed net system consisting of 
two components is depicted in Fig. 1. 

In [LRT92] also asynchronous communication (message passing) is consid- 
ered. However, in general this yields systems with infinitely many states, mak- 
ing an algorithmic, state space based approach to model checking impossible. 
To model the asynchronous setting, we can assume some finite-state commu- 
nication mechanism like e.g. bounded channels or buffers, which can easily be 
defined within the presented framework by considering a buffer as an agent of 
its own, (synchronously) communicating with both the agents that communicate 
(asynchronously) via this buffer. 

Net unfoldings. As a partial order semantics of the behaviour of a distributed 
net system, we consider net unfoldings, also known as branching processes. They 
contain information about both concurrency and conflict. 

Two nodes x, x' of a net (F, T, F) are in conflict, denoted xffx', if there exist 
two distinct transitions t,t' such that *t (1 *t' ^ 0, and (t,x), (t',x') belong to 
the reflexive, transitive closure of F. If xffx, we say x is in self-conflict. 

An occurrence net [NPW80] is a net N' = {B, E, F) with the following prop- 
erties: (1) for every 6 G F, | *6| < 1, (2) the irreflexive transitive closure < of F is 
well-founded and acyclic, i.e., for every node xGFuF, the set {\j£BVJE\y < x} 
is finite and does not contain x, and (3) no element e G F is in self-conflict. 
The reflexive closure < of < is a partial order, called causality relation. In occur- 
rence nets we speak of conditions and events instead of places and transitions, 
respectively. Min(N') denotes the minimal elements of N' w.r.t. <. 
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Fig. 1. Distributed net 



Fig. 2. Branching process 



Given two nets Ni,N 2 , the mapping h : Pi U Ti ^ P -2 U T -2 is called a 
homomorphism if h(Pi)CP 2 ,h(Ti)CT 2 , and for every tcTi the restriction of h 
to denoted is a bijection between and and analogous for h\f ■ 

A branching process [Eng91] of a net system i7 = (N, Mq) is a pair (3 = (N', w) 
where N' = (B, E, F) is an occurrence net and tr : ^ is a homomorphism, 

such that the restriction of w to Mm(N') is a bijection between Mm(N') and Mq, 
and additionally for all ei,e 2 ^E: if 7 r(ei) = 7 r(e 2 ) and *ei = *62 then ei = 62 . 
Loosely speaking, we unfold the net N to an occurrence net N', such that each 
node X of N' refers to node 7t(x) of N. Two branching processes /?i)d 2 of E 
are isomorphic if there exists a bijective homomorphism h : N\ ^ N 2 such that 
the composition 7 T 2 o h equals tti- In [Eng91] it is shown that each net system E 
has a unique maximal branching process up to isomorphism, which we call the 
unfolding of E, and denote by Unf^j = 

In distributed net systems, the location Ioc(x) of a node x of N' is given by 
Ioc(x) = Ioc(w(x)). By Ei := {e£E | feloc(e)}, we denote the set of i-events. 

Let N” = {B" , E" , F") be a subnet of N' , such that e G E" implies e' G E" 
for every e' < e, and B" — Mm(N') U E”* , and let w" be the restriction of tt 
onto the nodes of N” . We call /?" = (N",7r") a prefix of Unfs- Fig. 2 shows a 
prefix of the infinite unfolding of the net system drawn in Fig. 1. 

Configurations and Cuts. For the remainder of the section, let us fix the 
unfolding Unfs = {E’,w) of the distributed net system E with N' = (B,E,F). 

A configuration (7 C F is a causally downward-closed, conflict-free set of 
events, i.e., Ve G (7: if e' < e then e' G (7, and Ve,e' G (7 : ^(e#e'). A finite 
configuration describes the initial part of a computation of the system. If we 
understand the states of the system as moments in time, then configurations 
represent the past (by exhibiting all the events that have occurred so far, and 
the causal structure among them), as well as the present and the future, as 
formalised in the following. 

Two nodes of N' are concurrent if they are neither in conflict nor causally 
related. A set B' C B of conditions of N' is called a cut if B' is a maximal 
set of pairwise concurrent conditions. Every finite configuration (7 determines a 
cut Cut{C) := {Mm{N') U(7*) \ *(7. The corresponding set 7r(Cut(C)) C F of 
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places is a reachable marking of S, denoted by M(C) and called the state of C. 
Notice that for every reachable marking M of 27, there exists a (not necessarily 
unique) finite configuration with state M. We will often identify configurations 
with their state. Given a configuration C and a disjoint set E' of events, we call 
(7 © i7' an extension of (7 if (7 U is a configuration. 

Let fC := {x e (B U £) I 36 e Cut{C). b<x and Vy e C. -(x#t/)}. 
The (branehing) future of a configuration C is given by the branching process 
(i{C) := (Nf,Trc), where Nf, is the unique subnet of N' whose set of nodes 
is tC, and wc is the restriction of w onto the nodes of Nf,. Let us call two 
configurations M-equivalent, denoted C C' , if M{C) = M{C"). It is easy 

to show that if C C' then there exists an isomorphism from P{C) to 
P{C"). It induces a mapping from the extensions of C onto the extensions of C, 
mapping C ® E' onto C © ifs (E'), which are again Af-equivalent. 

Local states and views. The notion of local state arises by considering con- 
figurations that are determined by single events. For an event e, we call the set 
fe := {e' £ E\e' < e} the local configuration of e. It is indeed a configuration, 
because no event is in self-conflict. If e£Ei is an ©event, we consider fe to be an 
i-local state. It determines the local past of component i, as well as the local past 
of every component that communicated with i so far — directly, or indirectly 
via other components. 

In distributed net systems, we define the i-view pC of a configuration (7 as 
l*C := {e e (7 I 3e, G ((7 (1 Ei).e < e,}. Notice that the sequentiality of the 
components implies that for each i£hoc, the ©events form a tree in Unf i.e., in 
each configuration the ©events are totally ordered. Thus, the ©view of (7 is the 
local configuration of the unique, causally maximal ©event in (7. Intuitively, p C 
can be understood as the most recent ©local configuration that the whole system 
is aware of in the (global) configuration (7. The ©view of a local configuration 
fe is written as f'e. Note that f'e — fe iff i£loc{e). We will interpret the empty 
configuration as the local configuration of a virtual event ±, which can be seen 
as initial event with empty preset and Mm(N') as postset. We assume the set 
of events of Unfs to contain this virtual event, ±EE, and set loc(±) := Loc. 

Let Cioc(Unf) denote the set of local configurations of I/n/ (abbreviated 
if Unf is clear), and let := {fe | e£Ei) be the set of ©local configurations. 

Correspondence of CSAs and nnfoldings. Originally in [LRT92], the entire 
formalism relies on CSAs, a subclass of prime event structures. We note that net 
unfoldings as presented here, directly correspond to rooted CSAs. The differences 
are only technical. For details of this correspondence, cf. [HNW98a]. 

3 Temporal Logic for Communicating Sequential Agents 

In [LRT92], Lodaya, Ramanujam, and Thiagarajan defined and axiomatised the 
temporal logic £csa that allows to express properties referring to the latest 
gossip of the agents in a distributed system. Let us give a brief idea of the logic, 
related to unfoldings of distributed net systems. For details, cf. [LRT92]. 
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Basically, Ccsa consists of propositional logic. Additionally, it provides two 
temporal operators Oj, resp. for each iC Loc, referring to the local future, 
resp. local past, of agent i. All formulae are interpreted exclusively on the local 
configurations of a given unfolding. 

Intuitively, (p holds at if some t-local configuration in the past of e 
satisfies ip. When e is a j-event, this can be read as “agent j has at its local state 
i-e enough gossip information to assert that p was true in the past in agent i” . 

The local configuration satisfies Oi p iff some f-local configuration in the 
i- local future of |e satisfies p, i.e., if there is some configuration |e' (e' G £,) 
such that \re' A |-*e and le' satisfies p. For e£Ej, this can be read as “at the 
j-local state where e has just occurred, agent j has enough gossip information 
about agent i to assert that p may hold eventually in i” . 

Typical specifications are properties like <>i(xi -P AjGLoc^i^i)' “whenever 
Xi holds in i, then agent i knows that Xj may hold eventually in all other agents 
j” . For more detailed examples, cf. [LRT92]. 

A generalised syntax — C. We now introduce a slightly extended language in 
which the temporal modalities O, O- are separated from the gossip modality @i:. 
The separation yields a higher degree of modularity in the technical treatment 
and also saves redundant indices in nested formulae residing at a single location. 
The abstract syntax of £ is 

p ::= p I ^p I pM p I <>p I ^p I @i:p 

where p ranges over a set of atomic propositions, and i over Loc. We require 
that every occurrence of a temporal modality lies within the scope of a gossip 
modality. The operators O and O- are now seen as temporal future and past 
modalities within a single location, which is determined by the next enclosing 
gossip modality @i:. For example, OiOjp will be written as : 0@j: Op' 
in our syntax. Formally, the connection to the original Ccsa syntax is given in 
[HNW98a]. 

Like in Ccsa, formulae are interpreted at local configurations only. The mod- 
els of C are unfoldings of distributed net systems. The interpretation of the 
atomic propositions relies on the state function M, i.e., we identify the atomic 
propositions with the set P of places of the system under consideration (with- 
out loosing expressive power by this convention), and evaluate a proposition at 
configuration according to AiQ.e). 

Formally, we define two satisfaction relations: a global relation |=, defined for 
the local configurations of arbitrary locations, and for each agent i£Loc a local 
relation |=j, exclusively defined for the i-local configurations. These relations are 
inductively defined as follows: 
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We say that the system U satisfies a formula ip if the empty configuration l± 
of UnfE satisfies ip, i.e., if l± (= p. The future fragment £+ of £ consists of all 
formulae without past-operator ^ . 



4 Factorisation of the Unfolding 

In general, the unfolding of a net system is infinite, even if the net is finite- 
state. Therefore, many model checking algorithms cannot directly be applied on 
a modal logic defined over the unfolding. One way to overcome this problem is 
to look for a factorisation of the unfolding by a decidable equivalence relation = 
that is finer than the distinguishing power of the formula to be evaluated, i.e., 
(7 = C" shall imply (7 (= 44^ C" (= The second requirement on = is that a set 

of representatives of its finitely many equivalence classes and a representation of 
the (transition) relations between the classes can be computed effectively. Then 
we can decide C \= p on Unf hy transferring the question to the model checking 
problem ((7/=) \= p on {Unf/ = , — >■). 

The finite prefix. The first construction of an appropriate finite factorisation 
was given by McMillan [McM92] . He showed how to construct a finite prefix of 
the unfolding of a safe, i.e. finite-state, net system in which every reachable mark- 
ing is represented by some cut. In terms of temporal logic, his approach means 
to consider formulae of the type O if where O is “global reachability” and ip is 
a boolean combination of atomic propositions P. The key to the construction is 
that if the prefix contains several events with Uf-equivalent local configurations, 
then their futures are isomorphic, i.e., they cannot be distinguished by the logic. 
Consequently, only one of them needs to be explored further, while the others 
become eutoff events. The finite prefix Fin is that initial part of the unfolding, 
that contains no causal successor of any cutoff, i.e., an event e' belongs to Fin 
iff no event e < e' is a cutoff. 

In general, the formal definition of a cutoff requires two crucial relations on 
configurations: An instance of the equivalence relation =, and a partial order 
On the one hand, this partial order shall ensure that the expanded prefix con- 
tains a representative for each equivalence class. On the other hand, it shall 
guarantee that the prefix remains finite. The requirements for an adequate par- 
tial order ^ (in conjunction with A4-equivalence) were examined very detailed in 
[EKV'96]. They are as follows: it must be well-founded, it must respect set inclu- 
sion ((7 C C implies C -< C), and it must be preserved under finite extensions, 
i.e., if (7 = C" and C <C then C®E' < C ® iS'(E'). 

Such an adequate partial order is particularly useful, if it is total, such that 
for each two equivalent local configurations fe = fe' either e or e' can be discrim- 
inated as a cutoff. For 1-safe nets, a total order satisfying the above requirements 
was defined in [EKV'96], yielding a minimal prefix. 

In [McM92,ERV96] just A4-equivalence is considered. In conjunction with an 
adequate order the definition of Fin guarantees that each reachable marking 
is represented by the state of a configuration contained in Fin. 
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It was already observed in [HNW98b] that refining Al-equivalence yields 
an extended prefix, which - although being possibly larger than the prefix of 
[McM92,ERV96] - allows to apply a standard /t-calculus model checker for a lo- 
cation based modal logic called the distributed p-ealeulus. We defined an equiva- 
lence ^M-k,c by le ie' iff ie and loc(e) = loc{e'), and proved that 

=A< 4 »vequi valence equals the distinguishing power of the distributed ^-calculus. 

Generalised cutoffs. Now we look for more general conditions on equivalence 
relations that ensure that all equivalence classes can be computed by a prefix 
construction. Let us call a decidable equivalence relation = on configurations of 
Unf to be adequate if it refines At-equivalence and has finite index. I.e., C ^ C 
implies C C' and = has only finitely many equivalence classes on Unf. We 
give a generalised definition of a eutojf event by 

e G i? is a eutoff iff 3e' G E, such that fU = fe and fe' A fe 

where = is an adequate equivalence relation and A is an adequate partial order. 
The finite prefix Fin constructed for = is given by the condition: e' belongs to 
Fin iff no event e < e' is a cutoff. It is obvious from the cutoff definition that 
Fin constructed for = contains a representative for each =-class of Unf 

Proposition 1. The prefix Fin eonstrueted for an adequate = is finite. 

An adequate equivalence finer than C. In difference to S4 as used in [Esp94] 
and the distributed /z-calculus in [HNW98b], an equivalence finer than the distin- 
guishing power of £ has infinite index. However, by each finite set of £-formulae 
we can only distinguish finitely many classes of configurations. Thus we can 
hope for a model checking procedure following the outline from the beginning 
of the section, if we find an equivalence which is at least as discriminating as 
the Fisher-Ladner-closure of a ^-formula ip, because this is the set of formulae 
relevant for model checking (p on Unf First, we need some technical definitions. 

Let us denote the gossip-past-depth of a formula p £ £ by gpdfp). It shall 
count how often in the evaluation of p we have to change the local view or to 
go back into the local past. The inductive definition is 

gpd{p) = 1 gpdi^p) = gpd(p) 

gpd(p y fi)= max{gpdip),gpdifi)} gpd(<>p) = gpd(p) 

gpd(@i: p) = gpd(p) + 1 gpd(^ p) = gpd(p) + 1 

Now we are ready to define the crucial equivalence relation which is the 
basis for model checking £. It is parameterised by a natural number n (which will 
be the gossip-past-depth of a given formula) and by a location i (at which the 
formula is interpreted). Formally, we define =” C x to be the coarsest 
equivalence relation satisfying: 

fe =“ ff implies tip £ Pi . p £ M(fe) PP p £ M(ff) 
fe =• If implies Vj, fc G Loc . C \fe -tP f C 
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and for all n > 0 moreover 

|e If implies Vj e Loc . j/e =” J// 

(*; and Ve' G (|e (1 . 3f E {ff (1 Ei) . |e' |/' 

and V/' G (i/ n £lj) . 3e' G {fe (1 Ei) . fe' =” if 

The first condition is an ^localised version of Af-equivalence. The second one 
refers to the latest information concerning agents other than i, and the third 
condition inductively lifts the equivalence with respect to the levels of the gossip- 
past-depth. Let us briefly collect some important facts about the equivalence. 

Observation 2. The equivalence relation is decidable and of finite index for 
every n>0. Furtheron, is refining i.e., C =f for all n. Finally, 

it respects M-equivalenee, i.e., fe if implies M-(ie) = M-(if) for all n > 0. 

Remark 3. Note that the last two lines of the third condition after (*) can be 
omitted if we restrict ourselves to the (still very useful) sublanguage £+, yielding 
considerable savings: With this condition, the number of equivalence classes of 
may grow non-elementarily with n, forbidding any consideration of practi- 
cability, whereas without this condition the number of equivalence classes grows 
exponentially with n. 

The most important property of the equivalence used in the proof of the 
main result is that it is preserved by local successors, as stated in Lemma 4. 

Lemma 4. Let e < e' , and f < f be i-events, such that ie if, and let I 
be the isomorphism from fd{ie) onto fd{if)- If f = I(e') then also if =” ie' . 

Proof. This the most involved proof, and a main result of the paper. Please note 
that (for reasons of readability) the proof given here only deals with the pure 
future fragment £+ of the logic C, i.e. the third condition of the definition of 
the equivalence relation has to be read without the last two lines after the 
(*). For the (even more involved) proof for the full logic £, i.e., inclusive the 
condition (*) of the definition, see [HNW98a]. 

Let us define some notions and notations: Since we will often talk about a 
number of view changes in sequence, we introduce “paths” through the locations 
of the system: Let a = lih^-.-ln be a sequence of locations (called location 
path), i.e., Ij G Loc for all 1 < J < ri. Given any configuration C, we define 
fC := 4-*^ (-i-*^(- ■ ■ Qi^C ) ...)). We set fe := ie, where e is the (empty) sequence 
of length 0. Note that a location path may include repetitions, i.e., h — f for 
i ^ j IS allowed. Given an event g and some location path a, we denote by g,j 
the event that determines the <T-view of ig, i.e., f g — igc,. 

Now let e < e' and f < f he events of , and n> 1, as in the assumptions of 
the Lemma. First of all, we note that the required isomorphism I exists because 
^•^-equivalence implies A4-equivalence. 

We have to show if ie' . A key observation is the following: for every 

location path a, it holds that if cf ^e then I{e'f = f I, £ f. 
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This is the basis for the induction on m < n: for each sequence a of length 
n-m with e'^ £ e (and also £ f), it holds that where j is either 

the first location occurring in the sequence <7 (if n > m), or j := i ([f n — m 
and the empty sequence e is the only sequence of length n — m). In the latter 
case, (because e' C -Bj), and i*/' = If, we thus obtain If 

as required. The induction relies on a case analysis according to the following 
cases: m = 0, n = m = 1, n = m > 1, n > m = 1, and finally n > m > 1. 

• For m = 0 we have to show that le'^ =“ Iff This is clear, because I(e'f = 
f e Ej and thus the j-local part of the markings of and coincide, 
because 7r{e'f* — wiff. 

• For n — m = lwe have to show that fe =• ff implies fe' =• If, i.e., (1) for 
all jELoc: fe' =“ f f', and (2) for all j, k E Loc: e(- < ef iff /j < ff 

If < e then fe' \ fe contains no j-event, which means that e(- = ej and 
similarly /j = fj, so (1) follows easily. If e(- £ e then also /j £ f, in which case 
fe' f f follows by induction. 

So consider (2). Let j,k E Loc. We show that e(- < e(, iff /j < /(,, using a 
similar case analysis. If e(-,e(, £ e, then the isomorphism preserves the order. If 
< e, then e(- = ej and ef = Ck, (and similarly /j = fj, fj. = fk)-, and so 
the order is inherited from the corresponding local views of fe and If, which 
by assumption match. The third case is e(- < e, but e(, £ e, and thus similarly 
fj £: /) but ff, £ f. Since this is the most sophisticated argument and used also 
in the other cases, the situation is illustrated in Figure 3. e(- < e implies e(- = Cj. 
Now we choose an f 6 Loc, such that Cj < ej < ef and moreover ej is (causally) 




Fig. 3. Situation: e(. £ e and e) < e 



maximal with this respect. For at least one of the possible choices of I, there 
exists an event e" E Ei, such that e" E (fe' \ie). By the isomorphism, we have 
that I(e") = f" E {ff \ If). By assumption on the equivalence of e and / we 
can conclude /) = f < fi < // < /(., i.e., f f C f^f as desired. 

• For = TO > 1 the reasoning is similar to the case n = m = 1, except that the 
argument for the gossip aspect of the equivalence is not needed. 

• For n > m — 1, let a — {i'cr') be a sequence of length n - 1 with £ e. 
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Again, we have to show =■, Let j e Loc. For the case of ^ e the 
^“-equivalence is a consequence of = /j^. For e'^ < e there exists again 

an I G Loc with e'j^ < ej < so that ej is maximal in this respect, and as above 
we also obtain < fi < f!j- Moreover, in this case it holds that Cji — e'j^ and 
similarly fji = By assumption, we have i(ejj) -K/jOj and because of 

n > 2, in particular -i-C/jO) as desired. 

The argument concerning the relative orders of j-views and fe-views of Ccr and 

is the same as for the case of n = m = 1. 

• For n > TO > 1 let (T be of length n - to, such that a has j as first element, 
and such that e'^ £ e, and similarly £ f. We have to show that for each 
k G Loc it holds that ^ ® “-ad similarly £ f 

this follows from the induction hypothesis. For < e there exists (again) a 
location I, such that < ej < and ej is causally maximal in this respect. 
Then where n - 2 > to — 1, so that the desired 

claim follows from the observation C =^. □ 

Theorem 5. Let ip be an C-formula of gossip-past-depth n, and let e, / G Ej, 
with le =” If. Then fe (=, (p iff if \=i ip- 

Proof By structural induction on ip: For atomic propositions, note that fe =) 
If implies fe ff (cf. Observation 2), and hence fe p iff ff )=, p. The 
induction for boolean connectives is obvious. 

For gpd{<>ip) = gpd{ip) = n let fe (=, <>(p and fe =” ff. We have to show 
that also ff (=, <>(p (all other cases follow by symmetry). By definition, there 
exists e' > e with e' G Ei and fe' \^i ip. By Lemma 4 the event /' = I(e') G Ei 
obtained from the isomorphism I due to the A4-equivalence of fe and ff satisfies 
f < f and fe' if. By induction, ff |=j ip and finally ff \=i Oip. 

Now let (p — @j : Ip with gpd((p) — gpd(ip) + 1 = n. If |=i (p then 

l?e (=j- tp, and by definition )/e )//. Thus, by induction, )// |=j tp, and 

finally ff |=j ip. 

Finally, let = O- tp, with gpd(tp) = n-1, and fe |=i ^ tp, i.e., there exists an 
event £ G Ei, s.t. e' < e and fe' |=i tp. Due to the third condition (*), there exists 

an /' G Ei, s.t. f < f and if fe'. Hence, by induction, also ff |=j tp, 

and thus if \=i ip. □ 

Based on the local equivalences, we define an adequate equivalence relation 
for the construction of a finite prefix by fe ff iff loc{e) = loc{f) and fe ff 
for all i£loc(e). The next and last step to transfer the £ model checking prob- 
lem from the unfolding to an equivalent model checking problem over a finite 
structure is the definition of the transitions between the =”-equivalence classes 
of Unf This is done in the next section. 

5 Model checking 

In this section we propose a verification technique for £. Following the lines of 
[HNW98b], we will sketch a reduction of a given instance of the problem to a 
suitable input for well investigated model checkers like e.g. [CES86]. 
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Let us consider a distributed net system U and an £-formula ifi of gossip- 
past-depth n. We have shown so far how to construct a finite prefix Fin of the 
unfolding Unfs that contains representatives for all equivalence classes. Now 
we want to compute a finite, multi modal Kripke structure on the representatives 
that is equivalent to Unfr with respect to the evaluation of tp. What is missing 
are the transitions between the representatives. 

Computing a finite Kripke structure. Let u G N, and Unfs = {N',Tr} 
with N' = (B, E, F) be fixed, and let =” be the equivalence relation used for 
the construction of Fin. The state space of the desired Kripke structure 
consists of one representative of each =” equivalence class. Note that by using 
the adequate total partial order A of [ERV96], these representatives are unique, 
and so the state space is given by := {le | e G Fin and e is not a cutoff}. If 
the used order A is not total, we fix one non-cutoff (resp. its local configuration) 
of the prefix as the representative of each =” equivalence class. For every local 
configuration of Unfij, let rep(),e) G S„, denote the unique representative. 

Now let us consider the transitions of the Kripke structure. We introduce a 
transition relation for each of the modalities of the logic. Let },e, },/ G <S„. 

le }/ iff e, / G Ei and 3/' G Ej . f > e A rep(lf) = If 
le^lf iff e G Ei, fGEj A l^e = If 
le^ If iff e,f £ Ei A / < e 

Note that the definitions of and rely on the fact that the set of con- 
figurations in Fin (and thus also in 5„) is downward closed, i.e., the j-view 
of any element of is again in for every j, and of course past config- 
urations as well. On the whole, we obtain the multi modal Kripke structure 
Tn = (Sn,{^n , ^ , ^ | i G Loc},}±) with root l±. 

As a corollary to Theorem 5 we obtain the following characterisation of the 
semantics of £ formulae over %.■ 

Corollary 6. Let ip G £ be a formula of gossip-past-depth m < n, and let 
le G Sn be an i-loeal eonfiguration, i.e., e G Ei. 

1. If p — <>ip then le |=i p iff J If G Sn with le If and If |=i ip. 

2. If p— '.Ip then le (=, p iff 3 If G with le —A If and If |=j ip. 

3. If p = ^ip then le )=,. p iff 3 If G with le If and If )=, ip. 

Proof (1) follows from the semantics of O and the fact that by construction of 
Tn for any pair of states If and If — rep(lf), we have that If (=, p iff If |=i p 
for any formula p with gpd{p) = m <n. (2) and (3) are trivial. □ 

Thus, if we are able to actually compute (the transitions of) then we 
can immediately reduce the model checking problem of £ to a standard model 
checking problem over finite transition systems, applying e.g. [CES86]. 

Computing the transitions }e If in Tn is trivial: If — fe. Similarly 
computing the suecessors of le is very easy. It is more difficult to compute 
the transitions le If, if only Fin is given. To achieve this, we use a modified 
version of the algorithm proposed in [HNW98b]. 




240 



Michaela Huhn et al. 



An algorithm to compute the transitions. We assume in the fol- 

lowing that the algorithm for constructing the prefix Fin uses a total, adequate 
order The construction of Fin provides some useful structural information: 
each cutoff e has a corresponding event e°, such that =” ^e, and ^ ^e. 
Clearly, we choose rep(J,e) := le^ for each cutoff e, and for non-cutoffs /, we set 
repQ^f) := J,/. For technical reasons, we extend the definition of -^n ■ de- 
fine C \^e for any local or global configuration C C J,e', with rep(J,e') = \^e 
and e,e' G Ei. The construction of Fin also provides a function shift*, which 
maps any configuration C — C\ of Unfs containing some cutoff, onto a config- 
uration shift* (C) — Cra not containing a cutoff, hence being present in Fin. 
This function works by repeatedly applying Ck+i '■= \ Ick) with 

Ck E Ck being a cutoff of Fin, and being its corresponding, equivalent event. 
This iterative application terminates, because the sequence Ci,C 2 ,-. decreases 
in the underlying (well-founded) order ©, Obviously, this function implies the 
existence of an isomorphism I between /3(C) and f3(shift*(C)), which is the com- 

position of the isomorphisms induced by the chosen cutoff events. Moreover, 

shift*(le) < le for any e E /3(C), and hence for any e for which C ie. 

The most important part of the algorithm (cf. Fig. 4) is the recursive proce- 
dure successors which, when called from the top level with a pair (fe, i), returns 
the -successors of fe in the finite structure. More generally, successors 
performs a depth first search through pairs (C,i), where C is an arbitrary, not 
necessarily local configuration not containing a cutoff and i is a location. It 
determines the subset of local configurations in <S„ that represent the - 
successors of C. Formally, fe E successor s(C ,i) iff there exists fe' in Unf which 
is =”-equivalent to fe, and C -^n fa' ■ 

Proposition 7. Compute-Multi-Moded-KripkeStructure computes the -, 
Al). and d©) -transitions. 

The proof can be found in [HNW98a]. Note that at top level, successors is 
always called with a local configuration fe as parameter, but the extension of 
fe with cutoffs requires that we can also handle global configurations. In this 
paper, we focus on decidability but not on efficiency. For heuristics on efficiency 
improvements we refer the reader to [HNW98b]. 

6 Conclusion 

We have shown the decidability of the model checking problem for £, a location 
based branching-time temporal logic including temporal and gossip modalities. 
The method is based on a translation of the modalities over net unfoldings (or 
prime event structures) into transitions of a sequential transition system, for 
which established model checkers for sequential logics can be applied. 

While the method as presented is non elementary for the full logic £, the 
restriction to the future fragment £+ has “only” exponential complexity but 
still allows to express interesting properties. 
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type Vertex = (C: Configuration; i: Location; pathmark: bool; (* for dfs *) } 

preSxjsuccessors{C , i) = (rep(4.e) | 4.e € Sn A C -^n ie} 

compatible-CAitoffs{C) = {e | e is cutoff and 4-e U C is a configuration in Fin} 

proc successors} C, i): ConfigurationSet; 

{ var result: ConfigurationSet; result accumulator for current vertex *) 

Vertex v := 6advertex{C ,i); (* lookup in hash table, if not found then *) 

(* create new vertex with pathmark = false *) 
if V. pathmark then return 0; fi (* we have closed a cycle *) 
result := prefix successor s{C , i)] (* directly accessible successors *) 

v.pathmark:=true; put vertex on path *) 

for Cc € compa.tible -cutoff s{C) do (* find successors outside Fin behind Cc *) 
result := result U successors(siift* (C U 4-ec),i); 
od ; 

v.pathmark:=false; take vertex from path *) 

return result; 

} 

proc Compute-Multi-Modaf-KripkeStructure; 

{ InitializeTransitionSystem(7ii, Fin); (* extract state space from Fin *) 
for 4,e € Sn , i € Loc do 

add transition 4,e 4,'e; 

for i e Loc,ie,if £ S„ Cl C|oci4-/ C 4,e do 
add transition 4,e If; 

for 4,e' e successors(4.e,i) do 
add transition 4,e -^n fc' ; 
od 
od 

} 

Fig. 4. The conceptual algorithm to compute the transitions of %,.■ 



We also hope that the presented results can be used as a methodological 
approach to model checking temporal logics of causal knowledge [Pen98] . 

The main difficulty, the solution of which is also the major contribution of the 
paper, was to find an adequate equivalence relation on local states that allows 
to construct a finite transition system containing a representative for each class 
of equivalent local states. If the method really is to be applied, then refinements 
of the equivalence bring it closer to the logical equivalence and thus leading to a 
smaller index will be crucial. We believe that the potential for such improvements 
is high at the price of much less understandable definitions. 

For the treatment of past an alternative and potentially more efficient ap- 
proach in the line of [LS95] - elimination of past modalities in CTL - might come 
to mind, but the techniques used there can at least not directly be transferred 
to CcsA because of the intricate interaction between past and gossip modalities. 
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Abstract. We introduce a comdticb're logical system a la Gentzen for 
establishing bisimulation equivalences on circular non-wellfounded regu- 
lar objects, inspired by work of Coquand, and of Brandt and Henglein. 
In order to describe circular objects, we utilize a typed language, whose 
coinductive types involve disjoint sum, cartesian product, and hnite 
powerset constructors. Our system is shown to be complete with respect 
to a maximal hxed point semantics. It is shown to be complete also with 
respect to an equivalent hnal semantics. In this latter semantics, terms 
are viewed as points of a coalgebra for a suitable endofunctor on the 
category Set* of non-wellfounded sets. Our system subsumes an axio- 
matization of regular processes, alternative to the classical one given by 
Milner. 



Introduction 

In recent years, considerable energy has been devoted towards the development of 
simple principles and techniques for understanding, defining and reasoning on in- 
finite and circular objects, such as streams, exact reals, processes, and other lazy 
data types ([Mil83, MPC86, Tal90, Coq94, Gim95, BM96, Fio96]). Structural in- 
duction trivially fails on infinite and non-wellfounded objects. It can be applied 
only in rather contrived ways, and always indirectly, often utilizing inefficient 
implementations of these objects, e.g. streams as inductively defined functions 
on natural numbers. Elaborate mathematical theories, such as domain theory 
([Plo85]) and metric semantics ([BV96]), can be used, of course, to support rigor- 
ous treatment of such objects. But an ideal framework should allow to deal with 
infinite computational objects in a natural, operationally based, implementation- 
independent way, without requiring any heavy mathematical overhead. 

Systems based on coinductive definitions and coinduction proof principles 
appear to be a good starting point for developing such a framework. See e.g. 
[Coq94, HL95, BM96, Fio96, Len96, Pit96, Rut96, Tur96, Len98] for various 
approaches to infinite objects based on coinduction. Coinductive techniques 
are natural, in that infinite and circular objects and concepts often arise in 

* Work supported by Esprit Working Group “Types”, MURST’97 Cohn. “Sistemi 
Formali...” grant, TMR Linear FMRX-CT98-0170. 

W. Thomas (Ed.): FOSSACS’99, LNCS 1578, pp. 243-257, 1999. 

© Springer-Verlag Berlin Heidelberg 1999 




244 



Marina Lenisa 



connection with a maximal fixed point construction of some kind. Moreover, 
they can be justihed often simply by elementary set-theoretical means, see e.g. 
[Acz88, Len98]. In many situations, simple categorical concepts, such as those 
of Final Semantics ([Acz88, RT93, Len96, Rut96, Len98]), are enough to achieve 
a substantial generality. In this context inhnite objects are described as terms 
of F’-coalgebras for suitable functors F’s. 

In this paper, inspired by the seminal work of Coquand ([Coq94, Gim94]), we 
make a hrst step towards the formulation of a simple coinductive logical system 
for reasoning on inhnite circular objects, generalizing [BH97]. In particular, we 
present a system a la Gentzen Sco for capturing bisimulation equivalences on 
non-wellfounded regular (rational) objects, i.e. objects which have only a finite 
number of non-isomorphic subobjects. In order to describe the objects, we make 
use of an elementary typed language. Types are dehned using the constructors 
+ (disjoint sum), x (cartesian product), Ff (hnite powerset), and the higher 
order binding constructor i> (maximal hxed point). Objects are dehned only 
by constructors and recursive dehnitions. Differently from Coquand, we do not 
consider functional types or term destructors. Many inhnite recursive objetcs 
usually dealt with in lazy programming can be easily seen to have a formal 
counterpart in our typed language. 

The crucial ingredient in the formulation of our logical system are rules whose 
conclusion can be used as auxiliary hypothesis in establishing the premises. In 
a sense, our system can be viewed as a system for inhnitely regressive proofs. 
As remarked earlier, it is inspired by the technique for dealing with coinductive 
types in Intuitionistic Type Theories, introduced in [Coq94], where infinitely 
proofs are handled by means of the guarded induction principle. This technique, 
originally developed for predicative systems, was later extended by Gimenez to 
impredicative systems, [Gim94, Gim95]. Our system can be seen as a partial 
attempt to an elementary reconstruction of that approach, in such a way that it 
can be reconciled with other, more classical, syntactical approaches to circular 
objects ([Mil84, Acz88, BH97]). Our work seems to be related in particular with 
[Gim94], where Coquand’s principle of guarded induction is shown to be com- 
plete with respect to the traditional principle of coinduction, in a type theoretic 
setting. 

This paper generalizes [BH97], where a coinductive axiomatization of the 
type (in)equality for a simple hrst order language of regular recursive types is 
provided. The types considered in [BH97] are terms for denoting regular binary 
trees. 

In order to give external independent justihcations to our system, we consider 
two different, but equivalent, semantics. The hrst is a hxed point semantics, the 
latter is based on the Final Semantics paradigm ([Acz88, RT93, Tur96, Len98]). 

The hxed point semantics is dehned by introducing, for each type cr, a corres- 
ponding bisimulation equivalence on the set of closed terms typable with 
cr. This family of equivalences is dehned as the greatest hxed point of a mono- 
tone operator <P, and it can be viewed as the “intended semantics” . One of the 
main technical results in this paper is the fact that the system Sco axiomatizes 




A Complete Coinductive Logical System for Bisimulation Equivalence 245 



completely the bisimulation equivalences for all type cr. The correctness 
of Sco is proved by coinduction, i.e. by showing that the family of relations 
axiomatized by Sco on closed terms typable with cr is a <Z>-bisimulation. The 
completeness proof exploits the fact that the terms that we consider are regular. 

In order to give the categorical semantics, we define a “universal” functor 
F, involving constructors corresponding to each of the type constructors. Then 
we show how to endow the family of closed typable terms {T°}^^Type with a 
structure of f-coalgebra, in such a way that the greatest F-bisimulation on 
the coalgebra of terms coincides with the family of bisimulation equivalences 
{^a}( 7 eType- This yields a Rnal semantics for our typed language. Another 
technical result of this paper is the fact that the categorical semantics coincides 
with the fixed point semantics. For simplicitly, we work in the category Set* of 
non-wellfounded sets and set-theoretic functions. In this context final coalgebras 
of many functors are maximal Rxpoints. Non-wellfounded sets are elements of a 
Universe d la Zermelo-Fraenkel in which the Foundation Axiom is replaced by the 
Antifoundation Axiom Ail of Forti and Honsell [FH83] (or by the Antifoundation 
Axiom AFA of [Acz88]). 

Our system, when restricted to the type of CCS'-like processes, can be viewed 
as a logical system for establishing strong equivalence of processes, alternative 
to the classical axiomatic system of Milner, [Mil84]. 

The paper is organized as follows. In Section 1, we introduce the syntax 
for types and terms, and the system for establishing correct typing judgements. 
We introduce also the fixed point semantics as a family of bisimulation equival- 
ences In Section 2, we introduce the coinductive formal system Sco d la 

Gentzen, and we show that, for all closed type c, this system axiomatizes the 
bisimulation equivalence on . In Section 3, we define a “universal” functor 
F on the category Set*, and we endow the set of closed typable terms with a 
coalgebra structure for the functor F. Moreover, we show that the system Sco 
axiomatizes the largest U-bisimulation on the coalgebra of closed typable terms. 
Final remarks and directions for future work appear in Section 4. 

The author is grateful to Peter Aczel, Furio Honsell, and the anonymous 
referees for useful comments. 

1 Typ es and Terms 

In this section we introduce a finite language for infinite objects. 

Definition 1.1 (Types). Let TV ar be a set of type variables. The set of types 
Type is defined by 

(7 ::= X I Ki I ... I Kn \ cr -\~ cr \ cr x cr \ Vf{cr) \ vX.a , 

where X G TVar, the symbols AR , . . . , K„ denote constant types, 4-, x, Ff{) 
are disjoint sum, cartesian product, and finite powerset type constructors. The 
coinductive type vX.cr is considered always to be guarded, i.e. all the free 
occurrences of the variable X in cr are within the scope of a type constructor. 
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In the type vX.cr, the occurrences of the variable X in cr are bound. An 
occurrence of the variable X in cr is free if it is not bound. 

Remark 1.2. For simplicitly, in the dehnition of types we have considered only 
binary product and binary disjoint sum, but we could have considered, more in 
general, n-ary products and n-ary disjoint sums, for u > 0. 

Definition 1.3 (Terms). Let V^ar be a set of variables. The set of terms Term 
is defined by 

t ::= * I c) I ii{t) I * 2 ( 1 ) I <t,t> I [t,...,t] I recx.t \ in{t) , 

where x £ Var, {Cj = {c) | i £ Ij}}j<n are sets of constants, [. . .] denotes 
the multiset term constructor, ii{ ), ^ 2 ) ) are the left and right injections in the 
disjoint sum, < , > is the pairing constructor, in{ ) is the unfolding constructor, 
and the term recx.t is required to be guarded, i.e. all the free occurrences of the 
variable x in t are within the scope of one of the following term constructors: 

hi ), hi ), < , >, [• • •]• 

Let Terrrh denote the set of closed terms. 



We take terms to be equal up to permutation of elements in multisets. The 
constructor in( ) is introduced in order to obtain a typing system in which the 
shape of the type determines the form of the terms typable with that type (see 
Dehnition 1.4 and Lemma 1.5 below). 

In the syntax dehned above, the non-deterministic process constructor + of 
CCS'-like concurrent languages ([Mil83]) is subsumed by the [. . .] constructor. 
The terms which we are interested in are those typable as follows: 

Definition 1.4. Let Stype be the following formal typing system for deriving 
judgements of the shape A\~ t : cr, where the environment is a partial function 
from Var to Type. 



X . O' \~ type ^ ^ 



b type hj : Aj 



( const) 



A h 



t : oi 



^ ' type ^ 1 / X 

A\~type hit) ■■ (Ti + O 2 ^ 

^ btype t : (72 . X 

b type hit) '■ + <^2 

b type tl '. Ol A \~ type ^2 ’ ^2 
4ibtype< ti,t2 >: Ol X 02 



{bl b type tj : o)i=l. 



([]) 



'rtype [A, . . . ,t„] : Vfio) 

A, X : vX.o \~type t : vX.o rec x.t guarded 
A \~type recx.t : vX.o 



(^) 
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zl \~type t : (t\vX.(tIX\ 
A \~type in{t) : vX.cr 



(fold) 



Lemma 1.5. Let t ^Term\V ar be such that A\- type t '■ o' . Then 
(T = A j y t c C j 

(T = (Ti + (72 4=^ 3j e {1, 2}. 3t'. {t = ij{T) k A \~type t' ■ Oj) 

(7 = (7l X (72 4=^ 3ti,t2. {t =< ti,t2 > kMj = 1, 2. A htype tj : (Jj) 
cr = Vf(cri) > 0. 3ti,...,tn. [t= k 

Vi = 1, . . . , ?r. Ah type 1% • 

(7 = uX.cri 4=y 3n > 0. 3t' . [t = recx\ . . . recx„. in{t') k 

A, xi : i^X.Oi, . . . ,x„ : i^X.Oi htype t' : cri[vX.cri/ X]). 



The following Substitution Lemma can be easily proved by induction on 
derivations. 

Lemma 1.6 (Substitution). 

Z\j X , T h type t , O' k Ah type I . X A b type l\f /^] • O . 



The following notation will be useful in the sequel: 



Notation Let a £ Type. 

— Let Ter denote the set {t £ Term \ 3A. A htype t cr} . 

— Let T) denote the set {t £ Term° \ htype t '■ o} . 



1.1 Bisimulation Equivalence on Closed Typable Terms 

In this subsection we give the intended fixed point semantics of our typed lan- 
guage. This takes the form of a family of bisimulation equivalences {^er}creType, 
where is a relation on the set of closed terms T(). The family is char- 

acterized as the greatest fixed point of the following monotone operator, whose 
definition clearly reflects the intended meaning of the constructors: 

Definition 1.7. Let ^ : lTer^TypeV{TO x T°) IIa^TypeV{TO X T°) be the 
operator^ defined as follows 

a^Type) — 7 

where the the relation TZf CT°xT° is defined by 









t = T 












T 




3j £ {1, 2}.3ti,t 


[. {t = ijiti 


) & f 




) k ti Tier 




f 


4=^ 


3ti,t2,t[,t(. {t = 


= < ti,t2 > 


kt' = 


<t(,t[ 


2 > k 






Vj = 1, 2. tj TZei, 












t' 


4=^ 


3m, n > O.Bfi, . . 


f i' 

• ) 5 5 • • • 


(t 


= [h, 


. . . , tfri] k 






t' = [t(, ...,t(]k 














hti £ [ti,.. ,,tm] 


3tj £ [t[ , . . 




ti Ti-ar 


A & 








Wj t(] 


3ti £ [f 1 , . . 


• 7 Ifn] ’ 


ti Tlae 


A) 




t' 




3m, n > O.Bfi, t[ 


. (t = recx] 


_ . . ,reCXrri’in 


(ti) k 



T — rec x'l . . . rec x„.in{t() k 

t i[t / X 1 , . . . , t / X m] Ti-eri[irXi .Ci/Xi] ll[t /®lj • • - jt /®n])- 



^ ]Ti£iAt denotes the infinite cartesian product of the Ads, for i £ I . 
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The definition above can be viewed as the set-theoretical counterpart of the 
dehnition of relational structures on c.p.o.’s given by Pitts (see [Pit96]). Among 
the various differences between our approach and his, we point out that we allow 
for nested recursion directly at the outset in Dehnition 1.7, while Pitts deals with 
it separately. 

Proposition 1.8. The operator d> : IlaaType'Pi'P^ x T°) -P- IIaeType'P{T° x r“) 
IS monotone over the complete lattice [II„^Type'P{T^ x T^), n^^Type where 

V(T. C<,=C. 

Let us denote by {“^a^creType the greatest hxed point of the operator <T. This 
will be the family of bisimulation equivalences giving the intended semantics of 
our system. 

The validity of the following coinduction principle follows immediately: 

V(T £ Type. TZ^CTT^ 

Vcr e Type. 

We call (h -bisimulation a family {TZ(j}a-eType such that V(T G Type. TZa-QTZf. 

Notice that, using our language of types and the notion of bisimulation equi- 
valences introduced above, we can recover the case of binary trees, and the case 
of non-deterministic processes with strong bisimulation equivalence. In fact, bin- 
ary trees can be described as the set of terms T^x {XxX)+crc ^ constant 

type, while non-deterministic processes over a set of labels C of type <tc can be 
described as the set of terms T^lx v f{< 7 cy.x)- 



2 A Coinductive Logical System for Bisimulation 
Equivalence 



In this section, we introduce the formal system Sco, ^ Gentzen, for proving ~- 
equivalence between pairs of terms. We will show that S^o axiomatizes exactly, 
for all type cr, the bisimulation equivalence 



Definition 2.1. Let Sco be the following formal system for deriving judgements 
of the shape < A; T >\~co t ^ t' : cr, where < zl; T > is the environment and 



— Zi is a partial function from V ar to Type; 

— T is a multiset of the shape [ti t[ : ai, ... ,t„ ^ t'„ : (j„]; 

— T is coherent with A, i.e. 

ti ~ O' i ^ T =y (A b type li '< O i ^ A \~ type If • 

A l~ type t . O ^ A\~ type I . O . 

The rules of Sco are the following: 



Li i~type t : o T coherent with A 
< A; T >\~co t ~ t : a 



(reft) 



< A;T >\~co Ii ~ G : O' 

< A;T >\~co G ~ Ii : cr 



(symm) 
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< A;T >\~coti^t2 :(T < Zi; _T >hco i2 ~ ^3 : cr 

< ~f.3 :<7 



CO ^ 1 

: a 



^ ^type f > rr A \~typL. 

< A; r.t ^ t' : (T >hco t ^ t' : (T 



(hyp) 



A \~type recx.t : vX.cr F coherent with A , , 

< A; r >\~co rec x.t ~ t[rec x .t / x] : vX.a C 

{< A-,r>^co tj ~ t'i : (jjfci.2 , 

< Zi; -T >hco< ii,f2 >~< ^ 1,^2 >: X <^2 ^ 

< A;F >heo i ~ : (Ti 



W) 



< A] r >'tco ii{t) ~ : (7i + (72 



(+iCon3) 



< A;F >\~co i2(t) ~ * 2(^0 : (7i + (72 ^ ^ 

{a A] F >hco ti ~ ij : (7}i=lj.. . 

< Zi; -T >hco L^i, . . .,tnj ~ Vi, T^jW) 



([ ]cong) 



A htype [fi, . . ■■ yfio-) < A; F >\~co t r^t' :a 

<A]F >\~co ~ [ti, . . :Vf(a) 

< A] F, in[t) ~ in{t') : vX.a >\~co t ^ F : (j\yX.(T jX\ 

< A; F >\~co in(t) ~ : vX.a 



( abs) 



(m) 



The names given to the rules above are suggestive. In particular, the rules (cong) 
are the congruence rules, while rule (abs) is the absorption rule, which embodies 
contraction for equal terms appearing in multisets. 



One can easily check, by induction on derivations, using Lemma 1.6, that the 
definition above is well posed, i.e. 

< A;F >\~co t ^ t' : (j =L {F coherent with A k A \~type t : cr k A \~type t' : cr) . 

Notice the “coinductive” nature of the rule (in): in order to establish the 
equivalence ~ between terms of the shape in{t) and in(t'), we can assume, in the 
premise of the rule (in), the judgement that we want to prove, i.e. in{t) ~ in(t'). 

Remark 2.2. i) In place of rule (in) in the system Sco above, one could use 
equivalently the following two rules 

< A;F >\~co t : a 

< A]F >\~co in(t) ~ in{F) : vX.cr 

< A; F, rec x.t ~ rec y.t' : vX.cr >\~co t ^ F : cr 

< A; F >hco rec x.t ~ rec y.F : vX.cr 

This latter presentation would emphasize Coquand’s correspondence between 
guarded inhnite objects and guarded inhnite proofs, but the presentation of the 
system of Dehnition 2.1 slightly simplihes the proof of Theorem 2.10 below. 
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ii) When specialized to the type vX.Vj{ac x X) of CCS non-deterministic 
processes, our logical system provides an alternative axiomatization of Milner’s 
strong bisimulation ([Mil84]). The crucial difference between our system and 
the classical system of Milner is the absence, in Sco, of a counterpart to Milner’s 

rule for recursion, viz: ^ ^ (uniqueness) . This rule is recovered in 

t ^ recx.t ^ ' ... 

Sco by the coinductive rule {in), which amounts to the coinductive version of 

the congruence rule for the rec operator in Milner’s system. Milner’s system 
is a Hilbert system. Hence top-down proof search can be rather unpractical. 
For instance, when confronted with two terms one of which is a rec term, one 
has to guess whether to unfold the term or to use rule (uniqueness). On the 
contrary, in Sco, one can capitalize on hypotheses, and hence the structure of 
terms determine essentially, i.e. up-to absorption and unfolding, the top-down 
search of a proof (see Example 2.4 below). This informal argument will be put to 
use in order to show the completeness of i5co (Theorem 2.13) and its decidability. 

It is immediate to see, by induction on derivations, that the following Weak- 
ening Lemma holds: 

Lemma 2.3 (Weakening). If < A; F >\~co t ^ C '■ cr is derivable in Sco and 
r' IS coherent with A, then also < A] F, F' >\~co t ^ C '■ cr is derivable in Sco- 



We illustrate now the system Sco at work. 



Example 2 .). Let ti = rec x.in{< c, x >) and ^2 = rec y.in{< c, in{< c, y >) >) , 
where c G Cj . Then one can easily check that \~type ti ■ vX.Kj x X , for i = 1,2. 
Moreover, using the system Sco, one can show that the two terms t\ and <2 are 
bisimilar. In fact, up to applications of the rules (rec), (symm), (trans), we can 
build a derivation of hco ti ~ <2 : vX.Kj x W as follows: 

< Zi; F' , F >Sco c r-o c \ Kj < A; F' , F >Sco ti ~ ^2 : vX.Kj x W 

< zl; F', F >Sco< c,ti >~< c,C >: A),- x vX.Kj x X (xco»g) 

< A;F >hco in{< c,ti >) ~ in{< c,t2 >) : vX.Kj x X 

and 



< A;F >beo c oo c: Kj < A; F >\~co ti ~ in{< c,t2 >) : vX.Kj x W 
< A;F >beo< c,ti >~< c,in{< c,t2 >) >: Kj x vX.Kj x X 
\~co in{< c,ti >) ~ in{< c,in{< c,t2 >)) : vX.Kj x X 



cong) 

(*”) 



where 

A = t) 

F = [in{< c,ti >) ~ in{< c,in{< c,t 2 >) >) : vX.Kj x X] 

F’ = [in{< c,ti >) ~ in{< c,t 2 >) : vX.Kj x X]. 

Example 2.5 ( Conway Identity). A term with n > 0 rec’s at the top is equivalent 
to a term with just one rec, i.e., any term t = recxi . . .recx„.in{t), n > 0, 
typable with vX.cr, for some cr, is such that 

3 < A; F > . < A; F >\~co t ^ t' : vX.a , 
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where t' = recx.in[t[x / Xi, . . . , */*„]), and the variables Xi, . . . ,x„ are replaced 
by the variable which is new in t. 

By rules (rec), (symm), (trans), (m) (using also the Weakening Lemma), it is 
sufRcient to show that the two terms x\, . . . , ?/*„] and t\t' / x\, . . . , t' / Xn\ are 
~-equivalent. More in general, we show, by structural induction on t, that, for 
all n > 0, for all t'n such that 3Z\3r. A \~type . . . , t„/ x„] : r 

and A type /^n] * ^ ? 



3-L. A A^ r CO . . . jtfi I Xfi^ t\t \ j X\^ . . .,t n ! ^ri\ • ^ • 



The only non trivial case is that of t = recyi . . .recym-in{t), for m > 0. But, 
again by rules (rec), (symm), (trans), (in), it is sufficient to prove that 

t)'--- -I) : t' , for a suitable t' , where 
= t\fi/xi, . . . ,tn/xn,t/yi, . . .,t/ym] and 

= t[t\/xi,. . .,t'nlXn,tlyi, ■ ■ -ylym]- 
But this follows by induction hypothesis. 



-j-t X , , ,t nt , , 
^^-.-t^yi-.-y 



I rest of this section is devoted to the proof of the fact that the system 
Sco axiomatizes exactly, for all type cr, the bisimulation equivalence More 
precisely, we will prove that, for all cr C Type and for all t,t' C T() , 

I CO t t , (T — y t t • 



We will refer to the implication (=y) as the correctness of the system Sco 
w.r.t. and to the implication (<^) as the completeness of the system S^o 

w.r.t. «(j- 



2.1 Correctness of Sco 

First we need a technical dehnition. 

Definition 2.6. A sequent < A;ti t[ : (Ti,...,t„ ^ t'„ '■ <t„ >bco tn+i ~ 

: CTn+i is completely derivable in S^o if there exist derivations in S^o of 
< A;ti ^ t[ : ai, . . . ,L_i ~ : (Ti_i >hco L' ~ t' : crt, for all f = 1, . . . , n + 1. 

In order to show the correctness of 5co, we will prove that the following family 
of relations is a <P-bisimulation: 

Definition 2.7. Let cr G Type. We define 

{{t,t') e X | 

3 < Zi; -T > . < A; T >hco t t' : cr completely derivable} . 

The following two lemmata are instrumental. 

Lemma 2.8. Let < A; T >\~co t ^ f : a be a completely derivable sequent. 
Then 
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1. If a = ai + (72, t = ij{t) and t' = for some j G {1,2}, then also 

< A; r >\~co t ^ t : CTj IS a completely derivable sequent. 

2. // (7 = (7i X (72 and t =< t\,t 2 >, then also < A] F >\~co ti ~ '■ ori, for all 

i = 1,2, IS a completely derivable sequent. 

3. If (7 = ■P/((7i), t= [ti,.. t' = [t'l , . . . , tjj], then Vi e {1, . . . , mj. e 

{l,...,nj such that < A; F >\~co ti ~ tt : Ci is a completely derivable 
sequent, and Vj £ (1, . . . , nj. 3i £ {1, . . . , mj such that < A; F >\~co ti ~ 
tj : (7i IS a completely derivable sequent. 

Proof. The proof is by induction on the sum of the lengths of the derivations 
r and r,-’s, where r denotes the derivation of < A]ti ~ t[ : ui, . ..,tn ~ : 

Cn >l“co t ^ t' : (T and r,- denotes the derivation of < ~ t[ : ui, . . ~ 

t'i_i : (7i_i >\~co ti ~ fj- : (7i, for i = 1, . . ., n. We work out in detail only the 
proof of item 3, the proofs of the other two items are similar. 

Base Case: The only rule applied in r is (reft). The thesis follows using Lemma 
1.5 and rule ( refl). 

Induction Step: we proceed by analyzing the last rule applied in r. If the last rule 
is (refl), then again the thesis follows using Lemma 1.5 and rule (refl). If the last 
rule is (symm) or (hyp), the thesis follows immediately by induction hypothesis. 
If the last rule is (trans), then the thesis follows by induction hypothesis, using 
Lemma 1.5. If the last rule is (abs), the thesis follows using Lemma 1.5 and rule 
(refl). Finally, if the last rule in r is ([ ]cong), then the thesis is immediate. □ 



Lemma 2.9. Let a £ Fype. Then 

i) For allte TO, t(Rfft. 

ii) For all ti,t2 £ T^, t2{TZ(ffti- 

III) For all ti,t'2,t3 £ TO such that, for some F,A, the sequents < A; F >\~co 
ti ~ ^2 '-<7 and < A; F' >\~co ^2 ~ ^3 : cr are completely derivable, 

[tl(R-(fft2 & t2{K''ft3] . 



Proof. Both items i) and ii) can be easily shown by case analysis on cr, using 
Lemma 1.5. Item iii) is shown by by case analysis on cr, using Lemmata 2.3 and 



2 . 8 . 



□ 



Theorem 2.10 (Correctness). Let cr(E Fype. For all t ,t' £ T() , 

Scot ^t' : cr tPSat’. 

Proof. We show that the family {TZ^fOcr^Type is a <P-bisimulation, i.e. we have 
to show that V(7. HffP We prove this by induction on the sum of 

the lengths of the derivations r and rfs, where r denotes the derivation of 
< A]ti ~ : (7i,...,t„ ^ t( : (7„ >Sco t ^ t' : vX.cr and r, denotes the 

derivation of < A]ti ~ : (7i , . . . , ~ : (7,_i >Sco ti ~ T- : ai, for 

i = I, . . . , n. 

Base Case: The only rule applied in r is (refl) or (rec). The thesis follows from 
item i) of Lemma 2.9. 
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Induction Step: We proceed by analyzing the last rule applied in r. If the last 
rule is (reft) or (rec), then again the thesis follows from item i) of Lemma 2.9. 
If the last rule is (symm), then the thesis is immediate by induction hypothesis, 
using item ii) of Lemma 2.9. If the last rule is (trans), then again the thesis is 
immediate by induction hypothesis, using item iii) of Lemma 2.9. If the last rule 
in r is one of the following (xcong), (+icong), (+ 2 Cong), ([ ]cong), (abs), then 
then the thesis is immediate. Finally, if the last rule in r is (hyp) or (m), then 
the thesis follows immediately from the induction hypothesis. 

□ 



2.2 Completeness of Sqo 

In order to show the completeness of the system Sco, we need to exploit the im- 
plicit regularity of the terms expressible in our language. Namely, we introduce 
the notion of set of subterms of a given term. 

Definition 2.11. Let t a . The set of subterms of t, suh(t), is dehned by 
induction on t as follows: 

— if t = * e Var or t = c e C , then suh(t) = {t}; 

— ift = for some j C {1, 2}, then suhit) = {t} U suh{t'); 

-iff =< ti,t 2 >, then sub{t) = {t} U sub(ti) U sub(t 2 )\ 

— if t = [ti, . . . ,t„], for some n > 0, then sub(t) = {t} U ljj_i „ sub(ti); 

— if t = in{t'), then sub{t) = {t} U sub{t')-, 

— if t = rec x.t' , then sub(t) = {t} U {ti[t/x] \ ti E sub(t')}. 

The following lemma can be immediately shown by induction on terms. 

Lemma 2.12. For all cr and for all t E T„, 

i) the set sub{t) is finite; 

ii) Vt' E sub{t). sub{S) C sub{t). 

Now we are in the position of stating the Completeness Theorem for the 
system Sco- The proof of this theorem consists in showing that, if two terms 
t,r E T° are -bisimilar, then, since they have only a Rnite number of sub- 
terms, we can build a derivation of Sco t ~ C : cr in a top-down fashion. 

Theorem 2.13 (Completeness). Let cr E Type. For all t, t' E T^, 

t ^^,7 I r I CO I I , (T , 

Proof We prove that, if t C, then for all ti, . . . , t C sub(t), t(, ... ,t'.^,t’ E 
subft') such that Vi = 1, . . . , n. tp t'- E T()^ & ti t,t E and t t , 

there exists a derivation of C ~ : ci , . . . , ~ : (t„ Sco t ^t : W. 

Suppose by contradiction that ti ^ : cri, ... ,tn ~ ^co t ^ t : is 

not derivable. Then we show that there exists an infinite sequence of distinct 
pairs of processes ti,t'i C Tf^ such that ti t'i and ti E subft), t'i E subft'), 
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for i = I, . . . , n, which is clearly impossible because, by Lemma 2.12, suh{t) and 
suh(t') are hnite. In fact, if ~ ^ (’’i, ■ ■ ■ ~ ^co f ~ ^ is not 

derivable, then we show that a sequent of the following shape is not derivable: 
^ 7 • • • 7 In ^ In * 7 In + 1 ^ ^n + l * ^n + 1 ^co I ^ I • ^7 SOme 

e suh[t), e sub[t'), such that tn+i ~< 7 „+i In+i; I the 

hypothesis !„+! ~ !«+! • '^«+i is new, in the sense that it does not appear among 
ti ~ t[ : (Ji, . . . ,tn ~ In • This latter fact is proved by induction on the 
structure of "a. 

If ^ = Kj, then the sequent Ii ~ I'l : ai, ... ,t„ ^ t'^ : (t„ \~co t ^ t : Kj is 
immediately derivable, since I t' => t-t'^Cj. 

If ^ = vXi.di, then there exists m, n > 0 such that I = recx\ . . .recXm-in[t) 
and I' = recxi . . .rec x„.in{t'), for some terms t,t'. Then, by rule (m) (pos- 
sibly using rules (rec), (symm), and (trans)), also t\ ~ l) : ai,...,t„ ~ : 

(Tn , ^ X j / X^\ ^ /n(t)[t ! X\^ . . . ,t / ^n\ • ^ X\ .(T\ ^co l[l/^l 7 • • *7 l/^m] ^ 

/xi, ...,t /*n] • i^Xi.cTi is not derivable, and the pair in[t)[t / Xi, . . .,!/*„(] ~ 
in(t)\t' /xi, . . . ,t' /xn] ■ vXi.iTi is new among ti ~ t'^ : ai,...,t„ ~ t'„ : (t„, 
otherwise we would already have a proof of the sequent ti ^ ti : ai, ... ,t„ ^ 
In * ^co t ^ t . (T . 

If W = (Ti + ( 72 , then t = ij(tj) and t = ij(tj), for some j G { 1 , 2 } and, by 
rule {+jCong) (possibly using rules (rec), (symm), and (trans)), also the sequent 
ti ~ : (Ti, ... ,t„ ~ In '■ l“co Ij ~ tj '■ j is uot derivable. Hence we can 

apply the induction hypothesis to Cj, since, by dehnition of ~(ji +CT2 (Ij ) , 

we have also L- t'- . 

'J 3 j 

Finally, the cases W = <Ti X <72 and W = 'Pj{(Ti) are dealt with similarly to the 
previous case. □ 

The proof of Theorem 2.13 above is given by contradiction just for the sake 
of conciseness. Clearly a constructive proof can be easily obtained from the 
proof above. As a side-remark, we point out that a proof of decidability of 
~-equivalence can be easily obtained using the argument of the above proof. 



3 Categorical Semantics 

In this section we give a categorical hnal semantics in the style of [Acz88, RT93, 
Len96, Rut96, Len98] (to which we refer for further details on this topic) to our 
language, and we show that it captures exactly the greatest hxed point semantics 
of Section 1. 

The interest of this categorical semantics is that it achieves a signihcant 
degree of generality, in that it subsumes naturally a great number of concrete 
examples of inhnite objects in programming. The signihcance of a hnal semantics 
for a language like ours is that, contrary to the hxed point semantics, it allows 
us to embody as a point of a hnal coalgebra a canonical “minimaF’representat- 
ive for each equivalence class of terms. These denotations are the mathematical 
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counterparts of our intuitive circular objects. Notice that defining a final se- 
mantics for a language with a given notion of equivalence is not a mechanical 
task. 

We work in the category Set* of non-wellfounded sets and set-theoretic func- 
tions for simplicity, but we could have also worked in other categories based on 
sets. Denotations would have become rather obscure however. We proceed as 
follows. We define a “universal” endofunctor F, embodying constructors corres- 
ponding to the type constructors. Then we endow the set Ucr^Type T^, i.e. the 
disjoint sum of all closed typable terms, with a structure of T’-coalgebra. Finally, 
we show that the largest N-bisimulation on the coalgebra dehned on Fa^TypeT^ 
coincides with the family of bisimulation equivalences introduced in Sec- 

tion 1. 

Our categorical semantics could be equivalently presented in the framework 
of categories indexed over types. But, for the sake of simplicitly, we prefer the 
set-theoretic setting. 

For more informations on the Final Semantics paradigm see e.g. [Len98]. 
Definition 3.1. Let F : Set* Set* be the functor dehned by: 

F{X) = ^cr^Type (Fj<„Cj + (X + X) + (X X X)+Pf (X)) . 

We endow the set F^^TypeT^ with a structure of N-coalgebra as follows: 

Definition 3.2. Let a : F^eTypeT^ — t F{Fa-eTypeT^) be the function dehned 
by: 

a{t) = {(T,z) , 

where 





if Ak^ 


in+(i/(ti)) 


if ^<Ti +<T2 


inx(fi,f2) 


if ^<Ti X<T2 


inp^ ( [tl , . . . , tm]) 


if 




if AiyX,Kj 


m+{ij{ti[t/xi, . . .,t/xn])) 


if AipX.CTi +<72 


inx(ti[t/:ri, . . . • • • S / ^n\') 


if AipX.CTi X<72 



V f ( [^1 [^/^l 1 1 ^/^n] j • • • j [^ / • • • 1 ^/^n]]) if ,V f (<7i ) 

where in^^ , in_|_, inx, in-p^ denote canonical injections into disjoint sum and 



Ak, 


III 

III 

> 

III 
■ 7. 

(Tl 




A(JI -|-<72 


— [a — ai + a2 At — ij(ti)) 




-^<71 X<72 


= {cr = (Tl X (72 At =< ti,t 2 >) 




Avf (ai) 


= (<^ = Ff((Ti) At=[ti,.. .,tm]) 




AixX,Kj 


= {a = vX.Kj At = recxi . . .recx„.in(c’'A,i E Ij) 


AjyX ,ai +<72 


= (cr = i>X.(Ti + (72 At = recxi . . 


.recXn-in{ij{ti))) 


AjyX.ai X<72 


= (cr = i>X.(7i X (72 At = recxi . . 


.recXn-in{< t\,t2 >)) 


AiyX-Vf 


= (cr = i2X.'Pf{(7i) At = recxi . . 


.recxn-in{[ti, . . .,tm])) 
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Now, our goal is that of showing that the largest N-bisimulation on the 
coalgebra ,a), which we denote by coincides exactly with the family 

of bisimulation equivalences dehned in Section 1. First of all, we recall 

the dehnition of categorical N-bisimulation: 

Definition 3.3. Let F : Set* — s- Set* . An F’-bisimulation on the F’-coalgebra 
{X, ax) is a set-theoretic relation R C X x X such that there exists an arrow 
of Set* , 7 :TZ^ F{TZ), making the following diagram commute: 



7Ti 7T2 

n 



F{X) ^ F{Tl) ^ F{X) 

'' ’ F(,rO ^ ’ F(,T2) ^ ’ 



The proof of the following proposition is routine: 

Proposition 3.4. The largest F -btstmulatwn on the coalgebra (X„T^,a) ts the 
family 



4 Final Remarks and Directions for Future Work 

In this paper, we have presented a “coinductive” axiomatization of the bisimula- 
tion equivalence on non-wellfounded regular objects. Moreover, we have shown 
that it is complete with respect to a maximal hxed point semantics and also 
to a categorical semantics. Our presentation makes use of a typed language for 
denoting circular terms. 

We could generalize our language of terms so as to allow non-regular objects, 
still getting a sound axiomatization. In fact, the regularity property is crucial 
only for proving the completeness of our system. 

There are various other promising directions for possible generalizations and 
extensions of the coinductive axiomatization presented in this paper. 

— Categories other than the purely set-theoretical ones could be investigated. 
This would involve the use of a generalized notion of set-theoretic relation. 
In the case of c.p.o.’s, this should go in the direction of providing a formal 
system for expressing Pitts’ relational structures ([Pit96]). 

— A richer collection of types, including inductive types and the mixed covariant- 
contravariant — constructor could be considered, as well as destructors in 
terms. 

— Coarser notions of bisimulations other than Milner’s strong bisimulation 
could be considered, e.g. weak bisimulation and congruence, van Glabbeek- 
Weijland branching bisimulation, Montanari-Sassone dynamic bisimulation. 

— Other coinductively dehned equivalences, arising in different contexts, could 
be considered. E.g. equivalence of streams representing exact reals. 

— Finally, it would be interesting to compare systems like Sco to other logics 
for bisimulations (see e.g. [Mos?]). 
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Abstract. The class of string languages obtained by taking the yields 
of output tree languages of total deterministic macro tree transducers 
(MTTs) is investigated. The first main result is that MTTs which are 
linear and nondeleting in the parameters generate the same class of string 
languages as total deterministic top-down tree transducers. The second 
main result is a so called “bridge theorem” ; it can be used to show that 
there is a string language generated by a nondeterministic top-down tree 
transducer with monadic input, i.e., an ETOL language, which cannot 
be generated by an MTT. In fact, it is shown that this language cannot 
even be generated by the composition closure of MTTs; hence it is also 
not in the lO-hierarchy. 



1 Introduction 

Macro tree transducers [EngSO, CF82, EV85, EM98] are a well-known model of 
syntax-directed semantics (for a recent survey, see [FV98]). They are obtained 
by combining top-down tree transducers with macro grammars. In contrast to 
top-down tree transducers they have the ability to handle context information. 
This is done by parameters. 

A total deterministic macro tree transducer (for short, MTT) M realizes a 
translation tm which is a function from trees to trees. The input trees may, 
for instance, be derivation trees of a context-free grammar which describes the 
syntax of some programming language (the source language). To every input tree 
s (viz. the derivation tree of a source program P) M associates the tree tm(s). 
This tree may then be interpreted in an appropriate semantic domain, e.g., 
yielding a program in another programming language (the target language): the 
semantics of P. One specific, quite popular, such domain is the one of strings with 
concatenation as only operation. More precisely, every symbol of rank greater 
than zero is interpreted as concatenation and constant symbols are interpreted 
as letters. The interpretation of a tree t in this domain is simply its yield (or 
frontier, i.e., the string obtained from t by reading its leaves from left to right). 
Thus, an MTT M can be seen as a translation device from trees to strings. 
Taking a tree language as input it generates a formal language as output. It 

* This work was supported by the EC TMR Network GETGRATS. 
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is this class of formal languages (viz. the sets of target programs that can be 
generated) which we investigate in this paper. 

An MTT M such that each right-hand side of a rule is linear and nondelet- 
ing in the parameters, that is, every parameter occurs exactly once, will be 
called simple in the parameters. This means that M cannot copy by means of 
its parameters. We prove that the class of string languages generated by such 
MTTs equals the class of string languages generated by top-down tree transduc- 
ers. Hence the parameters can be eliminated. It is known that for unrestricted 
MTTs this is not the case; also if we consider output tree languages, MTTs that 
are simple in the parameters can do more than top-down tree transducers: they 
can generate tree languages that have non-regular path languages, which cannot 
be done by top-down tree transducers. For a more severe restriction, namely, the 
finite copying restriction, MTTs generate the same class of string languages as 
finite copying top-down tree transducers (Corollary 7.10 of [EM98]). 

Now consider the case that we want to prove that a certain tree language R 
cannot be generated (as output tree language) by any MTT. In general this is 
difficult for there are very few appropriate tools: there exists a pumping lemma 
[Kuh98] for a restricted case of MTTs. If we know that the string language 
obtained by taking the yields of the trees in R cannot be generated by any 
MTT, then we immediately know that R cannot be generated by an MTT. 
Since there are many tree languages with the same yield language, it is much 
stronger to know that a string language cannot be generated by an MTT than 
to know this for a tree language. We present a tool which is capable of proving 
that certain string languages L cannot be generated by an MTT. More precisely 
we will show that if L is of the form f{L') for some fixed operation /, then L' 
can be generated by an MTT which is simple in the parameters; by our first 
result this means that L' can be generated by a top-down tree transducer. The 
proof is a direct generalization of Fischer’s result on 10 macro grammars: in 
the proof of Theorem 3.4.3 in [Fis68] it is proved that if f{L) is an 10 macro 
language then L can be generated by an 10 macro grammar which is simple 
in the parameters. The result shows that the structure of L forces it from a 
bigger into a smaller class; it gives a “bridge” from the bigger (viz. unrestricted 
MTTs) into the smaller class (viz. MTTs which are simple in the parameters). 
For this smaller class, i.e., the class of string languages generated by top-down 
tree transducers, there exists another bridge theorem into yet another smaller 
class (using the same operation /) , namely the class of string languages generated 
by finite copying top-down tree transducers [ERS80]. Due to the limited copying 
power of this class, it only contains languages that are of linear growth (they 
have the “Parikh property”); thus, languages like Tgxp = | o > 0} are not 

in this class. Altogether we get that /(/(i')), where V is a non-Parikh language 
(e.g., Texp) cannot be generated by an MTT; in fact, we prove that it cannot be 
generated by any composition of MTTs. 

This paper is structured as follows. In Section 2 we fix some notions used 
throughout the paper. Section 3 recalls macro tree transducers. In Section 4 we 
establish our two main results. Section 5 concludes with some open problems. 
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2 Preliminaries 

The set {0, 1, ... } of natural numbers is denoted by N. The empty set is de- 
noted by 0. For fe e N, [k] denotes the set fc}; thus [0] = 0. For a 

set A, A* is the set of all strings over A. The empty string is denoted by e 
and the length of a string w is denoted |w|. For strings v,wi, . . . ,Wn G A* 
and distinct ai, . . . ,a„ E A, we denote by v[ai -t- wi,. . . ,a„ -t- w„] the result 
of (simultaneously) substituting Wi for every occurrence of a, in v. Note that 
[a± ^ wi, . . . ,Un ^ Wn] is a homomorphism on strings. For a condition F on a 
and w we use, similar to set notation, [a w | F] to denote the substitution 
[L], where L is the list of all a ^ w for which condition F holds. 

For functions f:A^B and g: B ^ C their composition is (/ o g)(x) — 
g{f{x)); note that the order of / and g is nonstandard. For sets of functions F 
and G their composition is F o G = {f o g \ f E F, g E G}. 

2.1 Trees 

A set S together with a mapping ranki;:i7 ^ N is called a ranked set. For 
fe G N, denotes the set {a E S \ ranki;((7) = k}. We will often write to 
indicate that rankx'(o') = k. 

The set of trees over S, denoted by Ts, is the smallest set of strings F C (I7U 
{(, ), , })* such that if (j G , k >0, and ti, . . . ,tk E T, then a{ti, . . . ,tk) ^ T- 
For a E we denote the tree a() also by a. For a set A, Ts{A) denotes the 
set Tsua, where every symbol of A has rank 0 and (F, A) denotes the ranked 
set | a E E A} (if E is unranked, then every symbol in (F, A) 

is of rank zero). We fix the set of variables X as {xi,X 2 ,---} and the set of 
parameters Y as {t/i, t/ 2 , • • • }• For fe G N, X* and denote the sets {a^i, . . . , Xk} 
and {t/i, . . . , t/fe}, respectively. 

For a tree t, the string obtained by reading the labels of its leaves from left 
to right, called the yield of t, is denoted by yt. The special symbol e of rank 
zero will be used to denote the empty string e (e.g., y{cr{a, e)) = a and ye — e). 
For a string w — Ui ■■■ Un and a binary symbol b let comb(>(w) denote the tree 
b{ai, b(a 2 , ■ ■ ■ 6(o„,e) . . . )) over {b^'^\af\. . . note that t/comb(>(w) = w. 

A subset L of Ts is called a tree language. The class of all regular (or, 
reeognizable) tree languages is denoted by REGT (cf , e.g., [GS97]). For a tree 
language L we denote by yL the string language {yt \ t E L} and for a class of 
tree languages £ we denote by yC the class of string languages {yL | L E £}. 
A relation r C Fe x is called a tree translation or simply translation; by yr 
we denote {(s,yt) | (s,t) E r}. For a tree language L C F^, t{L) denotes the 
set {t ETa\ (s, t) E t for some s E L}. For a class T of tree translations and a 
class £ of tree languages, T(£) denotes the class of tree languages {r(£) | r G 
T, £ G £} and yT denotes {yr \ t E T}. 

2.2 Tree Substitution and Relabelings 

Note that trees are particular strings and that string substitution as defined in 
the beginning of this section is applicable to a tree to replace symbols of rank 



3 




string Languages Generated by Total Deterministic Macro Tree Transducers 261 



zero; we refer to this type of substitution as “first order tree substitution” . 

Let 17 be a ranked set and let cti, . . . , (j„ be distinct elements of 17, n > 1, and 
for each i 6 [n] let s, be a tree in Ts{Yj,), where k = ranki;((7i). For t £ Ts, the 
second order substitution of s, for ai in t, denoted by t[ai si, . . . ,(J„ Sn] 
is inductively defined as follows (abbreviating [cti Si, . . . , (J„ Sn] by [...])• 
For t — a(ti, ■ ■ - ,tk) with a G j k > 0, and ti,...,tk £ Ts, (i) if cr = cTi 
for an i G [n], then t {. . .] = Si[yj ^ . .J | ^ G [fe]] and (ii) otherwise t {. . .] = 

. -1, . . . ,tk[- ■ .]). For a condition F on cr and s, we use |(7 s | F] to 
denote the substitution |LJ , where L is the list of all cr s for which condition 
F holds. 

A (deterministic) finite state relabeling M is a tuple {Q,S,A,F,R), where 
Q is a finite set of states, S and A are ranked alphabets of input and output 
symbols, respectively, F C Q is a set of final states, and F is a finite set of rules 
such that for every a £ k >0, and q±, ■ ■ ■ ,Qk £ Q, there is exactly one rule 
of the form a{{q\,xi), . .. , {qk,Xk}) ^ {q,8{x\, . . . ,Xk)) in R, where q £ Q and 
5 £ A^^'> . The rules of M are used as term rewriting rules, and the rewrite relation 
induced by M (on T^Q,T^)ui 7 ) is denoted by =Lm- The translation realized by 
M is tm — {(s,t) £ Ts X Ta \ s {q,t),q £ F}. The class of all translations 
that can be realized by finite state relabelings is denoted by DQRELAB. 

3 Macro Tree Transducers 

A macro tree transducer is a syntax-directed translation device in which the 
translation of an input subtree may depend on its context. The context infor- 
mation is processed by parameters. We will consider total deterministic macro 
tree transducers only. 

Definition 1. A macro tree transducer (for short, MTT) is a tuple M = (Q, 17, 
A, qo,R), where Q is a ranked alphabet of states, S and A are ranked alphabets 
of input and output symbols, respectively, qo £ is the initial state, and R 
is a finite set of rules; for every q £ and a £ with m,k > 0 there 
is exactly one rule of the form {q,a(xi , . . . ,Xk))(yi, ■ ■ ■ ,ym) ^ C in F, where 

C € T^Q,Xfe)UZi(Tm). 

A rule of the form {q, a(xi , . . . , Xk)){yi, ■ ■ ■ , y-m) ^ C is called the {q, (j)-rule and 
its right-hand side C is denoted by rhsM {q, cr ) ; it is also called a g-rule. 

The rules of M are used as term rewriting rules and by =^m we denote the 
derivation relation induced by M (on T/^Q^Ts)uAiT))- The translation realized 
by M, denoted by tm is the total function {(s,t) £ Ts x Ta \ (go 
The class of all translations that can be realized by MTTs is denoted by MTT. 
If for every a £ S, q £ , m > 0, and j £ [m], yj occurs exactly once in 

rhsM(g, O') (i.e., the rules of M are linear and nondeleting in Ym), then M is 
simple in the parameters (for short sp; we say, M is an MTTgp). The class of all 
translations that can be realized by MTT^pS is denoted by MTT^p. If all states of 
an MTT are of rank zero, then M is called top-down tree transducer. The class of 
translations realized by top-down tree transducers is denoted by T. For top-down 
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tree transducers we also consider the case that for a state q and an input symbol 
a there may be more than one rule of the form {q, a{xx, . . . , Xk)) ^ C in i?. Such a 
top-down tree transducer is called nondeterministic and the corresponding class 
of translations is denoted by N-T (note that this is a class of relations rather 
than total functions). The class of translations realized by nondeterministic top- 
down tree transducer with monadic input (i.e., each input symbol is of rank 0 
or 1) is denoted by N-T mon- 

Let us now consider an example of an MTT. 

Example 1. Let M = (Q, S, S,qo, R) be the MTT^p with Q — S — 

and R consisting of the following rules. 

{qo,cr{xi,X2)) ^ («, ®2)((go, ®i), (go, ®i)) 

{q,a{xi,X2)}{yi,y2) ^ (g,®2)(o-(t/i, (go,®i)),o-((go,®i),t/2)) 

(go, a) H-a 

{q,a){yi,y2) ^ cr{yi,y2) 

(go, b) b 

iq,b){yi,y2} ^ cr{y2,yi} 

Consider the input tree t — cr(a, a{b, a(b, b))). Then a derivation by M looks as 
follows. 

{qo,t} {q,o'(b,a(b,b))}({qo,a},{qo,a}) 

{q,a{b,a{b,b))){a,a) 

=^M (g, (rib, 6))(cr(a, (go, b)), cr((go, b), a)) 
{qi<^ib,b)){a{a,b),a{b,a)) 

(g, b){cr{a{a, b), b), a(b, a{b, a))) 

=^M a{a{b,a{b,a)),a{a{a,b),b)} 




In Fig. 1 it is shown how the translations for trees of the form 
s - cr(ai, a(o 2 , ■ ■ ■ o-(a„, x)...)) 

with ai , . . . , a„ G 17^°^ and n > 1 look like. If a; = a then yxM (s) = ww’' and if 
X = b then yTM(s) = w''w, where w = ai • • • a„ and w'' denotes the reverse of w 
(i.e., the string a„a„^i • • • Oi). Note that M is sp because both yi and t /2 appear 
exactly once in the right-hand side of each g-rule of M. □ 
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The next lemma will be used in proofs by induction on the structure of the input 
tree. Let M = (Q, S, A,qo, R) be an MTT. For every q G and s E Ts let 
the q-tmnslation of s, denoted by Mg{s), be the unique tree t G T^(Ym) such 
that {q,s}(yi,...,ym) =^m Note that, for s G Ts, tm(s) = Mgg(s). The 
g-translations of trees in Ts can be characterized inductively as follows. 

Lemma 2. (cf. Definition 3.18 of [EV85]) Let M = {Q, E, A, go, R) be an MTT, 
For every q E Q, a E k > 0, and si, . . . , s* G Ts, Mg{a{si, , s*)) = 

ThsMiq,o')[{q',Xi) ^ Mg,{si) I {q',Xi) E (Q,Xfc)]. 



4 String Languages Generated by MTT 

To prove our first main result we need the following small lemma about second 
order tree substitution. It says that if we are considering the yield of a tree to 
which a second order tree substitution is applied, then inside the substitution 
merely the yields of the trees that are substituted are relevant. 

LemmaS. Let S be a ranked alphabet, 71 , . . . , 7 „ G 17, and t, si, . . . , s„, G 
Ts{Y). Ifysi = ys\ for every i E [n], then 

y(tbi Si, . . . ,7„ ^ s„]) = y(tbi ^ si, . . . ,7„ ^ si,]). 

Lemma 3 can be proved by straightforward induction on t. We now show how 
to generate by a top-down tree transducer the string language generated by an 
MTTsp. 

Lemma4. yMTTgp C y(DQRELAB oT). 

Proof Let M = {Q, E, A, go, R) be an MTT^p. We will construct a finite state 
relabeling N and a top-down tree transducer M' such that for every s E Ts, 
y{TM'{TN{s))) = yTM{s). The idea is as follows. Let g G and s G T^. Then, 
since M is sp, yMg{s) is of the form 

w = woyhWiyj^Wi • • • yj„,Wm-, 

where E [m] are pairwise different and wq,. . ., Wm E (zlW)*. For 

a string of the form w (where the w, are arbitrary strings not containing pa- 
rameters) and for 0 < !/ < m we denote by part„(w) the string For every 
Wi, the top-down tree transducer M' has a state (g, n) which computes w,,. The 
information on the order of the parameters, i.e., the indices ji,..., jmj will be de- 
termined by the finite state relabeling N in such a way that a E E^^l is relabeled 
by (cr, (posi, . . . , pos^)), where for each i E [k], pos, is a mapping associating with 
every g G a bijection from [m] to [m]. For instance, if Si equals the tree s 
from above, then the a in (t(si, . . . , s,, . . . , Sfe) is relabeled by (a, (posi, . . . , pos^)) 
and poSj(g)(i,^) = R for E [m]. Formally, N = {Qn, R, F, Qn, Rn), where 

- Qn is the set of all mappings pos which associate with every g G a 
bijection pos(g) from [m] to [m]. For convenience we identify pos(g) with the 
string jx--- jm over [m], where pos(g)(i) = ji for i E[m]. 
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- r = {(cr, (posi,. . . ,posfe))W I a e > 0,posi,. . . ,posfe e Qn}- 

- For every a E k >0, and posi, . . . ,poSfe E Qn let 

cr((posi, ®i), . . . , (posfe, Xk)) ^ (pos, (cr, (posi, . . . , poSfe))(»i, . . . , Xk)) 

be in Rn, where for every q E pos(g) = order(rhsM(9, o')) and for 

t G T{Q,Xk)uA{Ym), order(i:) is the string over [m] defined recursively as 
follows: if t = Uj E Ym, then order(i:) = j, if t = 5{ti, ■ ■ ■ ,ti) with 5 E , 
I > 0, and E T/^Q,Xk)uAiYm), then order(i) = order(ii) • • •order(i0, 

and if t = {q',Xi){ti, with {q',Xi} E (Q,Xfe)W, I > 0, and E 

T{Q,x^)uA{Ym), then order(t) = order(tpo,^(,,)(i)) • • • order(tpo,^(,,)P)). 

It is straightforward to show (by induction on the structure of s) that N is defined 
in such a way that if tn{o’{sx,. . . , s^)) = (cr, (posi, . . . ,poSfe))(si, . . . ,5*), then 
for every i E [k] and q E 

tCoJ/posi (f)(1) ^l?/posi (f) (2) W2 ■ ■ ■ ?/posi (g)(m) '^mj 

for some wo,---,Wm E (2ll°))*. In the induction step it can be shown that 
for t E T^Q,x^)uA(Ym), order(i) = • • -jm, where ji, e N> Vtl- ■ -1 = 

woVhWxyj^Wi • • • Vj^Wm for some wq, • • • , Wm e (A(°^)*, and [...] = [(g', Xi) ^ 

-Mg'(si) I e (Q,Xfc)]. 

We now define the top-down tree transducer M' = (Q', F, A', (qo,0), E'), 
where 

- A' — U where e ^ A, and 

- for every (g, v) E Q', (a, (posi, . . . ,poSfe)) E F^^\ and fe > 0 let the rule 

((g,i'),(o-,(posi,...,poSfe))(a:i,...,a:fe)) ^ ( 

be in R', where C = comb6(part^(t/(f[_]))), f = rhsM(g,o-), and [_] is the 
substitution 

|(g', Xi) ^ combfr(((g', 0), ®i)t/posi(g')(i) ((«', 1), ®i)?/posi(f')(2) ' ' ' 
ypoSi{q'){m){iQ',m),Xi}) I {q',Xi) E 

We now prove the correctness of M', i.e., that for every s E T^, y{rM'{TN{s))) = 
yTAiis). It follows from the next claim by taking (g, i/) = (go,0). 

Claim: For every (g, v) E Q' and s E Ts, t/(M^'^^^^(rjv(s))) = party (t/ Mg (s)). 

The proof of this claim is done by induction on the structure of s. Let 
s = a(si, . . .,Sk),crE k > 0, andsi, ...,SkETs- Thent/(M|^^^j(riv(s))) = 
?/(-^(g,,.)((^>(P°Si’---’P°Sfc))(«i’- ••’«*)))> where Si = rxisi) for all i E [k]. 
This equals t/(C[. . .]), where ( = rhsM'((g, i^), (o', (posi, . . . ,posfc))) and [. ..] = 
[{{q',C),Xi) ^ I {(q',C),Xi) E {Q',Xk}]. By the definition of 

the rules of M', ( = comb(>(party(t/(f [_]))), where f = rhsM(g,o-) and [_] is as 
above. By applying y (yield) and the induction hypothesis we get party (t/(f [_]))<?, 
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where is the string substitution [{{q' ,v'),Xi) ^ p&Tti,r(yMgr(si)) | {(q' 

{Q',Xk}]. Since W does not change parameters, we can move it inside the ap- 
plication of part^ to get part^(t/(f [_])!?). If we move inside the application 
of y (yield) we get part^(t/(f [_]<?')), where W denotes the first order tree sub- 
stitution of replacing {{q',v'),Xi) of rank zero by a tree with part^»(t/Mg»(sj)) 
as yield. Applying W inside of |_] amounts to replacing {q',Xi} by a tree with 
yield w = parto(t/Mg/(sO)?/posi(gO(i) • • • part„(t/M,/(si)). By the correctness of 
the finite state relabeling N, w = yMg>(si). Since, by Lemma 3, we can put 
any tree with yield w in the second order substitution, taking Mgr{si) we get 
part^(t/(f [...])) with [...] = [(g',®i) ^ | {q' ,Xi) e By Lemma 

2 this is equal to part^(t/Mg(s)) which ends the proof of the claim. □ 

Let us look at an example of an application of the construction in the proof of 
Lemma 4. 

Example 2. Let M be the MTTgp of Example 1. We construct the finite state 
relabeling N and the top-down tree transducer M' following the construction 
in the proof of Lemma 4. Let N = {Qm,X,E,Qm,Rn) be the finite state re- 
labeling with Qn = {gi 2 ,g 2 i}, gi 2 = {(go, e), (9, 12)}, g 2 i = {(go,e), (g,21)>, 

and r = {(cr, (gi 2 ,gi 2 ))^^^ (o-, (gi2,92i))^^^ (o-,(g 2 i,gi 2 ))^^^ (V, (g 2 i,g 2 i))^^^ 

(a, 0)*^°^ {b, 0)*^°^}. The set Rn of rules of N consists of the rules 

(gi 2 ,(a, ())) 
b ^ (g2i, {b, ())) 

o'i{r,xi},{r',X 2 }) ^ {r',{a,{r,r')){xi,X 2 }} for allr,r' G Qn- 

Consider the tree t = a(a,a(b,a(b, b))) again. Then rjv(t) equals 

(cr, (qi 2 , g 2 i))((a, ()), (cr, (g 2 i, g 2 i))((b, ()), (cr, (g 2 i, g 2 i))((b, 0), (b, ())))). (*) 

We now construct the top-down tree transducer M'. Let M' = (Q', E, A', (go, 0), 
R') with Q' = {(go,0)(°), (g,0)(°), (g, 1)(°), (g, 2)(°)} and A' = ^(°) U {^(2), gW}. 
For simplicity we write down the rules of M' as tree-to-string rules, i.e., we 
merely show the yield of the corresponding right-hand side. Let us consider in 
detail how to obtain the right-hand sides of the ((g, ! 2 ), (cr, (r, g 2 i)))-rules for 
0 < ^ < 2 and r G Qn- Since we are only interested in the yields, we have to 
consider the string v = t/(rhsM(g,o')|_J), where |_] is defined as in the proof of 
Lemma 4. This string equals 

{{q, 0 ), ® 2 )((go, 0 ), xi} t /2 ((g, 1), X 2 } yi ((go, 0 ), ®i)((g, 2 ), * 2 ) • 

V' V' V' 

parto(v) parti(t,) partalv) 



Hence, for every r G Qn and 0 < 22 < 2, t/rhsM'((g, i"), (o', (r, g2i))) = part^(v); 
similarly we get t/rhsM' ((g, 0), (cr, (r, gi2))) = ((g, 0), X 2 ), 

t/rhsM'((g, l),(o-, (r,gi2))) = ((go, 0), ®i)((g, 1), ®2)((go, 0), ®i), 
t/rhsM'((g,2),(cr, (r,gi2))) = ((g,2),®2). 

The remaining rules are, for 0 < 12 < 2 and r, r' G Qn, 
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((go.0),(o-,(r,r'))(a;i,®2)) ^ ((g,0),®2)((go.0),®i)((g, 1),®2) 

((go,0),®i)((q,2),®2) 

((go,0),(a,())) ^ a 
{{qo,0),{b,0))^b 

((9, i'), lb, 0)} ^ e 

Finally, consider the derivation by M' with input tree t' — Tpf(t) (shown in (*)). 
Denote by t'/2 the tree rjv((7(6, a{b, b))) and by t'/22 the tree rjv((7(6, b)). Again 
we merely show the corresponding yields. 

{iqo,0),t') 

=^M' ((g,0), t'/2)((go, 0), (a, ()))((g, 1), t' /2){(qo, 0), (a, ()))((g, 2), t'/2) 

((9.O), t'/22){{qo, 0), (6, ())) a {(q, 1), t' /22) a {(qo, 0), (6, ()))((<?, 2), tV22) 
((9, 0), (6, ())) bba {{q, l),{b, ())) abb {{q, 2), (6, ())) 

bbaabb. D 

From Lemma 4 we obtain our first main result: MTT^pS and top-down tree 
transducers generate the same class of string languages if they take as input a 
class of tree languages that is closed under finite state relabelings. 

Theorems. Let C be a class of tree languages that is closed under finite state 
relabelings. Then yMTT^p{C) = yT{C). 

Proof. By Lemma 4, yMTT^p{C) C yT{C) and since every top-down tree trans- 
ducer is an MTTgp, yT{C) C yMTT^^{C). □ 

Since the class REGT of regular tree languages is closed under finite state rela- 
belings (cf. Proposition 20.2 of [GS97]), we get yMTT,p{REGT) = yT{REGT) 
from Theorem 5. For top-down tree transducers it is known (Theorem 3.2.1 of 
[ERS80] and Theorem 4.3 of [Man98b]) that T(REGT) is equal to the class 
OUT(T) of output tree languages of top-down tree transducers (i.e., taking the 
particular regular tree language Ts as input). In fact, it is shown in [Man98b] 
that for any class 9 of tree translations which is closed under left composi- 
tion with “semi- relabelings”, which are particular linear top-down tree transla- 
tions, W{REGT) = OUT(W). Since it can be shown that MTTgp is closed under 
left composition with top-down tree translations we get that yOUT{MTT^p) = 
yOUT(T), i.e., MTT^pS and top-down tree transducers generate the same class 
of string languages. If we consider MTTgpS with monadic output alphabet, then 
the class of path languages generated by them taking regular tree languages as 
input is also equal to yT(REGT) (cf. the proof of Lemma 7.6 of [EM98]). Thus, 
the classes of path and string languages generated by MTT^pS are equal. 

We now move to our second main result. First we define the operation 
rub6j^,...,6„ which inserts the symbols b±,...,bn (“rw6bish”) anywhere in the 
strings of the language to which it is applied. Let A be an alphabet, L C A* a 
language, and bi,. . . ,b„ new symbols not in A. Then rub(,j^,. (L) denotes the 
language 

{wiaiW2tt2 ■ ■ ■ WkttkWk+i I ai • • -Ofe G i, fc > l,wi, . . . ,Wk+i G {61, . . . , 
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The following theorem shows that if an MTT M generates rubo(-t) (where 
rubo = rubfri,. for n = 1 and hx — 0) then, due to the nondeterminism 
inherent in rubo, ^ cannot make use of its copying facility. 

Theorem 6. Let Che a class of tree languages which is closed under finite state 
relabelings and under intersection with regular tree languages, and let L C A*. 
//rubo(i) G yMTT{C) then L G yMTT,p(C). 

Proof Let M = (Q, S, A,qo, R) be an MTT and K e C such that yruiK) = 
rubo(i) and = A U {0}. By Lemma 6.6 of [EM98] we may assume that M 
is nondeleting, i.e., for every q G and j G [m], t/y appears at least once in 
the right-hand side of each g-rule. Consider a string of the form 

ai0”^O20”^ • • •a;0”'O{+i 

with I > 0, oi, . . . , ttj+i G A, and all ni, . . . , n; > 0 pairwise different. We call 
such a string i5-string. Clearly, it is sufficient to consider only i5-strings in order to 
generate a tree language R with yR — L (if we can construct an MTT^p which 
generates as yield language at least all ij-strings in rubo(T), then by deletion 
of Os we obtain an MTT^p which generates L as yield language). Consider the 
right-hand side of a rule of M in which some parameter yj occurs more than 
once. If, during the derivation of a tree which has as yield a ^-string, this rule 
was applied, then the tree which is substituted for yj in this derivation contains 
at most one symbol in A. Because otherwise, due to copying, the resulting string 
would not be a ^-string. Hence, when deriving a ^-string, a rule which contains 
multiple occurrences of a parameter yj is only applicable if the yield of the tree 
being substituted for yj contains at most one symbol in A. Based on this fact we 
can construct the MTT^p M' which generates L. The information whether the 
yield of the tree which will be substituted for a certain parameter contains none, 
one, or more than one occurrences of a symbol in A is determined by relabeling 
the input tree. Then this information is kept in the states of M'. More precisely, 
we will define a finite state relabeling N which relabels a G in the tree 
(t(si, . . . , Sfe) by (cr, (d>i, . . . , <j>k)), where for every i G [k] and q € Q, 

{ e if yMq{si) contains no symbol in A 
a if yMqfsi) = waw' with w,w' G (T U {0})* 
dd otherwise, 

where a G A and d is an arbitrary symbol in A. Before we define N, let us define 
an auxiliary notion. For w G (A^°) U Y)* let oc(w) be defined as follows. If w G 
(F U {0})*, then oc(w) = e; if w = W\aw 2 with a G A and Wi, W 2 G (F U {0})*, 
then oc(w) = o; and otherwise oc(w) = dd. 

Let N = {Qn, Y, r, Qpf, Rpf) be the finite state relabeling with 

- Qn — Q ^ ({e, dd} U A)}, 

- r = I ^ 0,d>i,. . G Qn}-, and 
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- Rpf containing for every ^ Qn and a £ with fe > 0 the rule 

{(j>k, Xk}) ^ {(j), (a, (j>k)){xi, Xk)}, 

where for every q £ Q, 4>{q) = oc(t/(rhsM(9, 'x)&)) and 0 denotes the second 
order substitution (where b is an arbitrary binary symbol) 

l{q',Xi) ^ comhbi(j>iiq')yi • • -t/m) | e {Q,Xk)^'^Km > 0]. 



It should be clear that N realizes the relabeling as described above. 

We now define M' = (Q', F, A', R') to be the MTT with 

^ Q' = I q G 5 ™ > 0, 99 : [m] ^ ({e, dd} U A)}, where the rank of 

(q,(p) with q £ is \{j £ [m] | (p{j) = dd}\, 

- A' = (A — {0}) U {6^^^,dummy^^),e^°^}, where b, dummy, and e are not in 

- q'o = (qo,0), and 

- R' consisting of the following rules. For every (q, (p) £ and (a, ■ , 

4>k)} G with n,k>0 and q £ let 

. . . ,(j>k)){xi, . . . ,xk)}{yi, . . . ,yn) ^ C 

be in R', where C = combdummy(?/i • • -yn) if there is a ^ £ [m] such that 
(p{j) = dd and yj occurs more than once in t = rhs M(q, o') and otherwise ( 
is obtained from t by the following replacements: 

1. Replace each subtree {q' ,Xi)(ti, . . . ,ti) with {q',Xi) £ {Q,Xk)^^K I > 

0, and £ Ti^Q,x^)uA{Ym), by the tree {{q' ,ip'},Xi){tj„ . . . 

where {ji , . . . ,ir} = (p'^^idd) with ji < ■ ■ ■ < jv and for every j £ [1], 
(p'{j) = oc{y{tj09)) with 0 defined as above, and 

W=[y^^ <p{v) I V £ [m]]. 

2. For j £ [m], replace yj by (p{j) if (pQ) 7^ dd, and otherwise replace it by 

with 1 / — \{fj, \ fj, < j and (p{fj,) = dd}\ + 1. 

3. Replace each occurrence of 0 by e. 

Obviously M' is sp. If we now consider the yields of all trees in tm’{tn{K)) 
which do not contain a dummy symbol, then we obtain L. By Theorem 7.4(1) of 
[EV85] R — -{dummy}) is a regular tree language. Hence K' — tn{K)FR 

is in £ and L = tm'(K') is in yMTTsp{C). □ 

Note that Theorems 5 and 6 can be applied to £ = REGT. Due to the next 
lemma they can also be applied to £ = MTT''^{REGT) for n > 1. 

Lemma 7. Let C be a elass of tree languages. If £ is elosed under finite state 
relabelings, then so is MTT{C). 
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Proof. Let M = {Q, E, A, qo, R) be an MTT and let N = {Qn, A, P, F, Rf.f) be 
a finite state relabeling. We now sketch how to construct a finite state relabeling 
N' and an MTT M' such that for every s G Ts, tm’{tn’{s)) — tn{tm{s))- 
The idea is similar to the proof of Theorem 6. The relabeling N' replaces the 
symbol a in cr(si, • • • , Sfe) G Tp by (cr, (d>i, . . . , where each (f>i associates with 
every q G a mapping of type ^ Qn such that for pi, . . . ,Pm G Qn, 

4>i{o){Pi, ■ ■ ■ ,Pm) = p if Mg(si) (p, s), where N is the extension of N to 
A U Ym by rules yj ^ {pj, yj). Thus, if we know in which states pi, . . . ,p„ the 
relabeling N arrives after processing the trees which will be substituted for the 
parameters t/i, . . . , respectively, then (f>i{q){pi, ■ ■ ■ ,Pk) is the state in which 
N arrives after processing the part of the output tree of M that corresponds to 
Mq{si). The information on pi, . . . ,pu is encoded into the states of M'; i.e., each 
state of M' is of the form {q, p), where q G Q^™\ (p : [m] ^ Qn, and p{j) is the 
state in Qn in which N arrives after processing the tree which is substituted for 
yj in a derivation by M. Together we have sufficient information to “run” N on 
the right-hand side of M to obtain the corresponding rules of M'. □ 

In the next lemma we will show that the n-fold application of rubo can be 
simulated by a single application of rubo,i; i.e., if we know that rubo,i(T) G 
yMTT(C), then this means that also rubo(i) for any n > 2 is in yMTT(C). 
Note that rubj (T) = rub(>j^,...,6„ (i), where hi,...,bn are new symbols not in L. 

Lemma 8. Let C he a class of tree languages which is closed under finite state 
relabelings. // rubo,i(L) G yMTT(C) then for every n > 2, rub(>i,...,6„ (L) G 
yMTT{C). 

Proof. It is straightforward to construct an MTT Myieia which translates every 
input tree into its yield, represented as a monadic tree (e.g., cr(a, h) is translated 
into a(h)). In fact in Example 1(6, yield) of [BE98] it is shown that this tree 
translation can be defined in monadic second order logic (MSO). By Theorem 
7.1 of [EM98] the MSO definable tree translations are precisely those realized 
by finite copying macro tree transducers. We will now define a top-down tree 
transducer M„ which translates a monadic tree over the ranked alphabet E = 
i*^°^}into atree with yield in {b\, ..., 6„}*. This is done as follows. 
We use a Huffman code to represent each bi by a string over {0, 1}; more precisely, 
the string OM represents bi+i for every 0 < i < n - 1 . M„ has states 1, . . . ,n 
and, starting in state 1, it arrives in state i after processing i - 1 consecutive 
Os. In state i, M„ outputs bi (in the yield) if it processes a 1 and moves back to 
state 1. 

Let n >2 and define M„ = {[n], E, F,l, R) to be the top-down tree trans- 
ducer with r = {y^^fb^\. . . , and R as follows. 

{p, l(a;i)) ^ jibi,, for p G [n] 

{p, O(a^i)) ^ (i^ + 1, xi) for p E [n- 1] 

{n,Q{xx)) ^ 7(6„, (l,®i)) 

{p, i) ^ e for 1/ G [n] 

{p, 6) ^ e for 1/ G [n] 
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Clearly, yTM„ (Ts) = {h,- - ■ , K}* and hence if yL — {0, 1}* then 
yTM„ (rMyieid W) = {bi,..., bn}*. 

Let Zl be a ranked alphabet. If we change M„ to have as input ranked al- 
phabet S' — S U {5^^^ I 5 £ U {5^°^ I 5 G as output alphabet 

r' = and for every p G [n] the additional rules {v, S{x\)) ^ 7(i5, (1, xx)) 

and {p,5) ^ i5, then for every tree language K over A with yK — rubo,i(£), 
yTMATMy^^iAK)) = rub;,,,.. 

We can now compose TM^i^ with tm„ to obtain again a finite copying MTT 
which realizes tm^i^ • This follows from the fact that MSO definable trans- 
lations are closed under composition (cf Proposition 2 of [BE98]) and that M„ 
is finite copying (it is even linear, i.e., 1-copying). 

In Corollary 7.9 of [EM98] it is shown that finite copying MTTs with regular 
look-ahead have the same string generating power as finite copying top-down tree 
transducers with regular look-ahead. Hence, there is a finite copying top-down 
tree transducer with regular look-ahead M" such that yTM”{K) = rub(>i,. (L) 
if yK = rubo,i (T) . Since regular look-ahead can be simulated by a relabeling (see 
Proposition 18.1 in [GS97]) we get that rub(,j^,...,i>„ (L) G yT{DQRELAB{MTT{ 
£))) and, by Lemma 7 and the closure of MTT under right composition with T 
(Theorem 4.12 of [EV85]), this means that rub(,j^,...,(>„ (L) is in yMTT{C). □ 

The proof of Lemma 8 in fact shows that yMTT{C) is closed under deterministic 
generalized sequential machine (GSM) mappings. For the case of nondeterminis- 
tic MTTs it is shown in Theorem 6.3 of [DE98] that the class of string languages 
generated by them is closed under nondeterministic GSM mappings. 

We are now ready to prove that there is a string language which can be 
generated by a nondeterministic top-down tree transducer with monadic input 
but not by the composition closure of MTTs. 

Theorem 9. yN-T„,on(REGT) ^ [J^y^yMTT'^iREGT) ^ 0. 

Proof. Let n > 1. Since MTT'^(REGT) is closed (i) under intersection with 
REGT (follows trivially from the fact that REGT is preserved by the inverse 
of MTT'^, cf Theorem 7.4(1) in [EV85]) and (ii) under finite state relabelings 
(Lemma 7), we can apply Theorem 6 to £ = MTT'^{REGT). We obtain that 
rub(,„...,6„(£) G yMTT%REGT) implies ruH„..., ;,_,(£) G yMTT,^{MTT^-^{ 
REGT)). By Theorem 5 the latter class equals yT(MTT'^^^(REGT)) and since 
MTToT = MTT (Theorem 4.12 of [EV85]), it equals yMTT^^^(REGT). Hence, 
by induction, L G yT(REGT). 

Let us now consider the concrete language £exp = {o^" | > 0}. By the 

above we know that if rub(>i,...,6„ (£) G yMTT’^(REGT), then L G yT(REGT). 
Hence for L = rub;>(£exp) we get that rub(>,^,...,(>„(£) G yMTT'^{REGT) implies 
rub(,(£exp) G yT(REGT). But by Corollary 3.2.16 of [ERS80] it is known that 
rub(,(£exp) is not in yT(REGT) (the proof uses a bridge theorem which would 
imply that £exp can be generated by a finite copying top-down tree transducer; 
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but the languages generated by such transducers have the “Parikh property” 
and hence cannot be of exponential growth) . 

Altogether we get that rub(>i,...,(>„,(>(Lexp) is not in yMTT'^{REGT). By 
Lemma 8 this means that rubo,i (Lexp) ^ yMTT'^{REGT). It is easy to show 
that rubo,i (Lexp) can be generated by a nondeterministic top-down tree trans- 
ducer with monadic input; in fact, in Corollary 3.2.16 of [ERS80] it is shown 
that this language can be generated by an ETOL system. The class of languages 
generated by ETOL systems is precisely the class of string languages generated 
by nondeterministic top-down tree transducers with monadic input [Eng76]. □ 

Note that the last statement in the proof of Theorem 9 implies that ETOL — 
\J^>^yMTT'^{REGT) 0, where ETOL is the class of languages generated 
by ETOL systems. It is known that the lO-hierarchy U„>q yYIELD’^(REGT) is 
inside \J^yf)yMTT’^{REGT) (this follows, e.g., from Corollary 4.13 of [EV85]). 
From Theorem 9 we obtain the following corollary. 

Corollary 10. rubo,i(Texp) is not in the lO-hierarchy. 

5 Conclusions and Further Research Topics 

In this paper we have proved that macro tree transducers which are simple in 
the parameters generate the same class of string languages as top-down tree 
transducers. Furthermore we have shown that there is a string language which 
can be generated by a nondeterministic top-down tree transducer with a regular 
monadic input language but not by the composition closure of MTT 

yOUT{N-T) 



V0UT{T) 



yOUT{MTT) 



yOUT{MTT^) 



^ yOUT{ATT) ^ yOUT{ATT^) 

Fig. 2. Inclusion diagram for classes of string languages generated by tree transducers 

Let US now consider another type of tree transducer: the attributed tree 
transducer (ATT) [Fiil81]. Since the class ATT of translations realized by ATTs 
is a proper subclass of MTT it follows that rubo,i(Texp) is not in the class 
yOUT(ATT) of string languages generated by ATTs. Since nondeterministic 
top-down tree transducers with monadic input equal cooperating regular tree 
grammars [FM98] and attributed tree transducers have the same term generat- 
ing power as context-free hypergraph grammars, it follows that there is a tree 
language which can be generated by a cooperating regular tree grammar but not 
by a context-free hypergraph grammar. This remained open in [Man98a] . 

It is known that the class of string languages generated by top-down tree 
transducers is properly contained in that generated by ATTs (see, e.g., [Eng86]). 
Together with Theorem 9 this means that the two leftmost inclusions in Fig. 2 
are proper (inclusions are edges going from left to right). However, it is open 
whether the other inclusions in Fig. 2 are proper. For instance, we do not know 
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whether there is a language which can be generated by an MTT but not by 
an ATT. Note that for the corresponding classes of tree languages we know the 
answer: the language { 7 ^" (a) \ n > 0 } of monadic trees of exponential height 
can be generated by an MTT but not by an ATT (cf Example 6.1 in [Man98b]). 

Acknowledgement I wish to thank Joost Engelfriet for helpful discussions. 
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Abstract. Message sequence charts (MSG) are widely used in the early 
design of communication protocols. They allow describing the commu- 
nication skeleton of a system. We consider a basic verification task for 
hierarchical MSGs, the matching problem via MSG templates. We char- 
acterize the complexity of checking properties which are expressible by 
and-or templates, resp. by LTL formulas. Both problems are shown to 
be PSPAGE-complete. 



1 Introduction 

Message sequence charts (MSC) are an ITU-standardized notation which is 
widely used for the early design of communication protocols. They describe in a 
graphical way how message passing is supposed to be performed between con- 
current processes. Although MSCs do not contain the full information that is 
needed for implementing the described protocols, they can be used for various 
analysis purposes. For example, one can use MSCs to detect mistakes in the 
design, like race conditions [1] or non-local choice [2]. Some tools for performing 
basic verification tasks have been developed, [1,3]. 

The problem considered in this paper is to verify certain properties of MSC 
graphs (hierarchical MSCs) by means of template (MSC) graphs. Matching a 
template graph with a system graph means that a specific set of executions in 
the template is required to occur in an execution of the system, such that the 
causal order of events is preserved. The occurrence of executions is meant as an 
embedding, i.e. it allows gaps. (Actually, determining the existence of an exact 
mapping is easily seen to be undecidable, [7]). Two semantics have been already 
considered for template graphs, or-graphs resp. and-graphs, [7]. 

Here we focuss on specifications (templates) given as and-or MSC graphs, 
which can be seen as alternating transition systems with an associated causal 
order related to Mazurkiewicz traces, [5]. Like alternating automata on ca- words 
[10], it is more convenient to translate specifications into and-or MSC graphs 
than just or-graphs. The matching problem for and-or template graphs is shown 
to be PSPACE-complete. However, our proof shows somewhat surprisingly that 
and-or templates are not more expressive than or-templates (or and-templates) . 
And-or MSC templates just provide a more succinct representation of specifica- 
tions. They express properties given by shuffle ideals (of finite sets) and liveness 

W. Thomas (Ed.): FOSSACS’99, LNCS 1578, pp. 273-287, 1999. 
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conditions. We also consider the problem of specifying templates by LTL for- 
mulas, that is by matching the causal orders of sequences which satisfy a given 
formula. For this semantics we show that deciding the existence of a matching 
is PSPACE-complete, too. The paper is organized as follows: Sect. 2 gives basic 
notions and definitions, in Sect. 3 we consider the and-or matching problem, and 
Sect. 4 deals with the matching problem for LTL specifications. 

2 Preliminaries 

Definition 1 (MSC). A message sequenee ehart M = {8, <,V,L,T) is given 
by a poset (8, <) of events, a set V of processes, a mapping L : 8 ^ V that 
associates each event with a process, and a mapping T : ^ {s, r} that describes 

the type of each event ("send orreceivej. 

The partial order < is called the visual order of events and it is obtained from 
the syntactical representation of the chart (e.g. represented according to the 
standard syntax ITU-Z 120). The visual order is induced by an acyclic relation 
<c U(UpeP ■^7’) explained in the following. First, there is a one-to-one 

correspondence between send events, 8 nT“^(s), and receive events, 8 nT“^(r). 
Let M denote the graph of this correspondence, i.e. the set of messages. Then 
we have e <c f for every message (e, /) G M. (message ordering). Secondly, for 
every process P £ V the set 8 (1 L^^(P) is totally ordered by <p (process line 
ordering) . 

In general, the visual order provides more ordering than intended by the 
designer. Therefore every chart has an associated causal structure providing 
the intended ordering [1]. Causal structures are related to pomsets [9], event 
structures [8] , and Mazurkiewicz traces [4] . A causal structure is obtained from a 
chart by means of a given semantics, which depends on the system architecture. 
Formally, the causal structure of a chart M = (8, <,V,L, T) is given as tv(M) = 
(8, <,P, L,T), where the only difference between M and tr(M) is the poset 
(8,<), with A denoting the causal order. The partial order A is generated by 
a so-called precedence relation A-, which depends on the implementation. The 
meaning is that for any two events e and /, we have eA-/ if and only if event e 
must terminate before event / starts. 

As the semantics used throughout the paper, we define the precedence rela- 
tion for an architecture with fifo queues. This means that every one-directional 
communication between two processes is done through a fifo channel. For this 
architecture we first impose the following constraint on the visual order: For any 
messages (e, /), (e', /') G M with e <p e' and L(f) — L(f') — P' for some 
P,P' £ V we require that / <p/ f. Let e,f £ 8 he two events. Then eA-/ for 
the fifo semantics if one of the following holds: 

1. A send preceded by some event on the same process: 

T(f) =s A e <p f for some process P . 

2. Message ordering: e <c f. 
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3. Messages ordered by the fifo queue: 

T{e) = T{f) = r A e <p / for some process P A 
3 e' , f (e' <c e A f <c f A e' <p> f for some process P') . 

Slightly abusing the notation, we identify tr(M) with the set of all lineariza- 
tions of the causal order of tr(M). We also write tr(a) for a sequence a G 
and mean by that the set of all linearizations of the causal order associated with 

a. 

Given two charts Mi = (Si, <i,V,Li,Ti) over the same set of processes we 

define their product as the chart Mi M2 = (Si U S2,<,V,Li U L‘2,Ti U T2), 
where < = <i U <2 U{jp^j,(Si r\L~^{P)) x (82 L~^ (P)) . 

Definition 2 (MSC graph). An MSC graph N = (S,t,sq,c,V) is given as a 
finite, direeted graph (S, t, sq) with state set S, transition relation t C S x S, 
source state sq G S, together with a mapping c associating each state s with a 
finite chart c(s) over the process set V. 

Let i = si,S2,... be a (possibly infinite) path in N, i.e. G r for 

every i. The chart defined by f is given as c(Q = c{si)c{s2) ■ ■ ■ ■ We denote by 
trff) the causal structure associated with c(f), resp. by the associated causal 
order. 

A maximal path of N is a path in the graph which starts with the source state 
and is either infinite or it ends in a sink state. 

In order to simplify the presentation we assume that in an MSC graph N 
every state s G 5 is associated with a single event. This is no restriction, due 
to the following observation: If a = Oi • • • a* denotes any topological sorting of 
the visual order of a chart M, then tr(a) = tr(M). Let M = c(s) for a state 
s G S. We can replace s by a sequence of states s = sq ^ si "Sf ... and add 
transitions from Sf, to all successors of s. 

Definition 3 (Matching). Under a given semantics, a template M with the 
causal structure trfM) = (Sm-,<m-.Lm,Tm,'Pm) matches an MSC N with the 
causal structure tr(N) — (Sm, Sn, Lm,Tm,Pn) If and only if Pm Q Pn and 
there exists an injective mapping (called embedding^ h : 8m ^ 8n such that 

- for each e G 8m, we have LM(h(e)) = LM(e) and TM(h(e)) = Tm(&) (pre- 
serving processes and types), and 
^ If -<M 62 then h(ei) -<m h(e2) (preserving the causal order). 

A path fi in a graph M matches a path 82 in a graph N if the chart c(fi ) matches 
the chart 0(82). 

Under the fifo semantics it suffices to consider only the type and the location 
of events. Let P = {Pi, . . . , Pm} be the set of processes and let E = {sy, ry | 
1 < » 7^ i < w}- The set E consists of abstract events and is related to any set of 
events 8 by means of a mapping ev : 8 ^ E. Consider a message (e, f) G Ai with 
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L(e) = Pi-, L(f) = Pj. Then we let ev(e) = sy and ev(/) = ry. Let x be a path 
in an MSC graph, then msg(x) £ E denotes the set {ev(e) | e occurs in c(x)}- 
The mapping ev extends to a homomorphism ev : ^ E°°. Assume that a is 

a topological sorting of c(x)- Let ev(x) € = E* U E'^ denote the (finite or 

infinite) sequence of abstract events ev(a). 

For the remaining of the paper we will refer to the elements of E simply 
as events. All notions introduced so far, e.g. precedence rules, causal order, 
matchings, can be transferred to the events in E. 



3 And-Or MSC Graphs 

An and-or MSC graph M = (S,T,so,c,SA,Sy,P) is given as an MSC graph 
where the set of states is partitioned in two sets, the set of and-states <Sa and 
the set of or-states Sy. 

Definition 4 (And-or MSC graphs). Let M = {S,t,so,c,Sa,Sv,P) be an 
and-or MSC graph. A run R. of M is a tree R. = (X,^,xo,i,ev) with root xo 
and nodes labelled by states, i : X ^ S, sueh that: 

1. X ^ y in R implies that (£(x),l(y)) e r. 

2. Every node x £ X with i(x) — s £ Sy has one suecessor in R., if {s' | 
r(s,s')} ^ 0 , otherwise it has no sueeessor. 

3. Every node x E X with i(x) — s E Sa has exaetly k suceessors in R., all 
labelled differently, where k — |{s' | r(s, s')}|. 

Moreover, ev: X ^ E labels eaeh node x by the event ev{e), where e = c(i(x)). 

A run -K is called maximal if all leaves are labelled by states without any 
successors in M and the root is labelled by the source state. 

An and-or MSC graph is an example for alternating transition systems. It 
can be used for specifying scenarios between a component of a system and the 
environment. Here, the moves of the environment are modelled as usually as 
universal moves, i.e. the component is required to meet its specification no matter 
how the environment behaves. Consider for example the and-or graph in Fig. 1, 
where state Ni is an and-state and N-z, N 3 are or-states. For simplicity, the states 
are labelled by messages, not by single events. The MSC graph expresses that 
there are infinitely many connections requested by Pz (from Pi), and all of them 
are either successful or Pz gets into an infinite loop requesting a connection. 
Moreover, each time when process Pz requests a connection, it expects (several) 
data transmissions from F 3 . 

Definition 5 (And-or matching). Given a template M as an and-or MSC 
graph and a system N as an MSC graph. We say that the template matches the 
system if there is some maximal run R of M and a maximal path x of N sueh 
that every path in R matches x- 
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Fig. 1. An and-or MSC graph. 



Consider again the and-or template graph M of the above example. In every 
maximal run of M the and-node Ni occurs infinitely often. Therefore, a maximal 
run of M matches an MSC N only if N contains infinitely many events of the 
same type as Si, ri. This holds also for S2,r2, since every maximal run of M 
includes paths for every k, and we have The situation differs 

for node iVs. We might have a maximal run where iVs occurs on every path just 
once, before N2- But we do not have any events e in W, / in such that 
e^f. Hence, S3 for example can be mapped for each occurrence of the node N-^ 
in the run of M to the same event in the MSC N. (The specification given by 
M is in some sense incomplete, it does not correspond to the intuition given 
above). Moreover, the combination between states occurring infinitely often and 
dependency between events makes matching for and-or templates to a quite 
complex task. 

3.1 The Complexity of And-Or Matching 

Our main result is that matching and-or template graphs is PSPACE-complete. 
Thus, and-or matching appears to be computationally more difficult than match- 
ing or-templates, resp. and-templates. The latter problems have been shown to 
be NP-complete, [ 7 ]. 

The next proposition gives the lower bound for the and-or matching problem. 
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Proposition 1. The problem whether an and-or template graph matehes a sys- 
tem graph is PSP ACE-hard. 

Proof. We give a reduction from TQBF, i.e. the question whether a quantified 
Boolean formula is true or not. Suppose that Qo^^o • • • Ql^i F{xo, • • • ,xi) is in 
prenex normal form, with Qj G {3,V} and F a quantifier-free formula in 3-CNF. 
That is, F = C7i A ■ ■ ■ A Cmf with Cj denoting disjunctions of at most three 
literals. For simplifying notations, the graphs M, N described below are such 
that states are labelled by charts (instead of events). Recall that this can be 
easily translated to a labelling by events. 

Let the set of processes be P = {Pi,P.,Ri,R\ | 0 < i < I}. Let also Pi 
(resp. P-) denote a message from F) to P- (resp. from P- to Pi). Analogously, 
let Ui resp. n\ denote a message from Fj to R\, resp. from R'- to Fj. The system 
graph N (see also Fig. 2) is the single MSC p[pin[ni ■ ■ -plpin'ini. Note that the 
events e with L{e) G {F(, F)'} are totally ordered in the causal order. Similarly, 
all events e with F(e) G {Fj, F'} are totally ordered. 



P, P' R, P' 



. p[ 


% 




Pi 













Fig. 2. The system graph. 



The template graph M = (<S,r, sq,c, <Sv,5a) is given by the vertex set 
S — {sj, .sf, sf \ 0 < i <1}U {ti, Fq , I 1 < * < m} U {t} , 

and the transition relation t CS x S: 

T^{isi,.st),i.Si,.sf),(.sj,Sj+i),(.sJ,Sj+i) I 0 < i,j < l,j 7 ^ 0 U 

P)} U {(t,ti) I 1 < i < m} U {{ti,ti^i),{ti,ti^2),iti,ti,a) \ l<i<m} 

For s G S we define s G Fa if and only if either s = Si and Qi = V, or s = t. 
That is, the nodes Sj, 0 < i < I, are of type corresponding to the quantifier 
Qi. Moreover, the node t is an and- node corresponding to the conjunction of 
the clauses. All remaining nodes are or-nodes. The states .sf, .sf are labelled by 
single messages (see also Fig. 3): 

f \ j Pi for s = ,sf, 0 <i <l 
\m ior 8 — af ,0 < i < I 
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Let Cj — Xj,i V Xj ,2 V Xj,'i be a clause. If Xj,i — Xk is a positive literal then let 
= n'k- For a negative literal Xj^i — Xk we let c(tj,i) = The definition 
of c{tjfi),c{tj^z) is similar, depending on Xj^ resp. Xj^z- For example, in Fig. 3 
we represented the clause X\ V X 2 V x-s- All remaining states are labelled by 0. 





n 



f 

1 



P2 




Fig. 3. The template graph. 



There is a natural bijection between the assignments a : {xi,... ,ar„} ^ 
{t,f} for F and the paths from sq to t in M. Formally, if sf belongs to a path 
then Xi is assigned the value t, whereas if belongs to a path, then Xi is 
assigned the value f . It is not difficult to verify that a run R of M matches the 
system chart N if and only if every path in R from sq to t defines an accepting 
assignment for F. Hereby, we choose for every clause a leaf corresponding to a 
true literal. The (easy) proof is left to the reader. 



3.2 Matching and-or templates in PSPACE 

Showing the lower bound for the and-or matching problem was quite straight- 
forward, which is not the case with the upper bound. Actually, it is a priori not 
clear why it would be possible to restrict the and-or matching problem to a finite 
instance of matching. The aim of the next propositions is to give a decomposi- 
tion of maximal runs in an and-or template graph in two parts. The first part is 
a polynomially bounded tree, all paths of which have to be matched against a 
finite path in the system. The remaining part is the so-called recurrent part, for 
which only (abstract) events have to be recorded, all of which have to occur in 
a loop of the system graph. 

Let X = Xi ,. . . ,Xk = y he a path in a run R = (A, xo, f,ev). We write 
X <y whenever the event ev(ar) precedes causally the event ev(t/) in the sequence 
ev(xi) ■ ■ -eY{xk)- Let y\-— {x £ X \ x ^ y}. 
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Definition 6. Let R = ev) be a run in an and-or MSC graph M. 

Let Xg — {x E X \ ev{x) = e}. We define a set of events Efin(R) ffE as 

Efin{R) = {e G £ I max{|x4, | | G < co} ■ 

By Xfin{R) C X we denote the subset of vertices Xfin(R/) = {x ejfx) G 
Efin(R)}. 

Intuitively, EfiniR) £ E contains all events which require an exact match- 
ing for the corresponding nodes x (resp. paths from x f), i.e. for nodes x with 
ev(x) G EfiniR)- Equivalently, for nodes x with events from E \ ERn{R) the only 
information needed is ev(x) G E. Consider again the and-or template of Fig. 1. 
We have E^niR) C {S32, r32} for every maximal run R of M. Put it another way, 
S 21 ^ ERn(R), since Ni has to repeat infinitely often on some path of the run. 
Moreover, S12 ^ since every maximal run includes paths iV";fiV2 for every 

k and riA-S 2 - The situation differs for node N$. We might have a maximal run 
where occurs on every path just once, before iW- Since there is no depen- 
dence from Ni to iW all events e with ev(e) = S32 can be mapped to the same 
event on the system path (similarly for ev(e) = r 32 ). Thus, node N 2 represents 
the bounded part, which has to be matched exactly against the system. 

Notations: Let M = (<S,r, sq,c, <Sa,<Sv) be an and-or graph and consider a 
run R = (X,^,xo,i,ev)- Let p = (xi,X 2 , ■ ■ ■ ) be a sequence of vertices from X, 
then i(p) denotes the sequence of states (i{xi), £(x 2 ), . . . ) G <S“. For x E X we 
denote by i?* the subtree of R. with root x and by tt(x) the path (xq, . . . ,Xk) 
from xo to X — Xk- By 7Tfin(3^) we denote the subsequence . . . ,Xif) of 7r(ar) 
containing exactly the vertices from Xfi^{R). (I.e. we have Xj G X{\a{R) if and 
only if j = irn for some m.) More generally, for a (finite or infinite) path pin R 
we denote by 7Tfin(p) the subsequence of vertices of p belonging to Xfi„(i?). 

Remark 1. Note that for any path pinR the subsequence 7Tfin(p) is finite. More- 
over, there exists a sequence of events a E (E\ ERn(R))°° such that ev{p) and 
ev(7Tfin(p))a define the same causal structure, i.e. tr(ev(p)) = tr(ev(7rfin(p))a). 

Lemma 1. Let M be an and-or template graph and consider a run R' of M. 
Let e E Efin(RJ). Then there exists a run R. = (X,^,xo,£,ev) of M satisfying 
the following conditions: 

1. Every path of R is a subpath of some path in R' . 

2. Let x,y,z E X be such that x E X^, and y,z E xf. Then £{y) = £{z) implies 
y^z. 

3. We have £'/?„(/?') C Efin{R). Moreover, if R' is maximal, thenR is maximal, 
too. 

The previous lemma says that it suffices to consider maximal runs R where 
for every path p the subsequence 7Tfin(p) has length at most |5|, with S denoting 
the set of states of M. 
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Lemma 2. Let M be an MSC and let x o loop in an MSC graph such that 
msg(M) C msg{x). Then M matches x“- 

Lemma 3. Let Rhe a run in an and-or template graph M and let N be a system 
graph. Then R matches N if and only if R matches some path in N of the form 
XoXi! where xo Is a finite path and Xi is a (possibly empty) loop. 

Lemma 4. Let R = (X,^,xo,i, ev) be a run in an and-or template graph M 
and let x — XoXi ® ™ ® system graph N such that R matches x- Then 

we have 

1. iE\Efi,fiR)) C msgixi) 

I <S I 

2. Every path p in R. is .such that Tifinip) matches Xox[ ■ 

The proposition below says that it is sufficient to consider maximal runs R 
such that any two vertices x,y £ Xfin(R) which are such that the subpaths wnnix) 
and TTRniy) have the same sequence of state labels also have equal subtrees. We 
assume in the following w.l.o.g. that the source state of the template has no 
incoming edges, thus the root xq of a run R belongs to 

Proposition 2. Let M be an and-or template graph and consider a run R of 
M. Then a run R' = (X,^,xo,£,ev) of M exists .such that: 

1. For all vertices x,y E Xfin{Rf) with i(7rfi„(x)) = iiTTfiniy)) we have R[j. — R'y. 

2. For every path p' in R! , the causal structure triwfinip')) is equal to trijTfin{p)), 
for some path p in R. 

3. If R satisfies Lemma 1, then R' satisfies Lemma 1, too. Moreover, if R is 

maximal, then R' is also maximal and we have finally C Efi,,fiR'). 

Proof. Consider a maximal run R satisfying Lem. 1. We assume that R does 
not satisfy the first condition of the statement and we consider two vertices 
x,y from Xfin(R) with l(7Tfin(x)) = f'(7Tfin(|/)), but R.X 7 ^ R^y. Clearly, x,y are 
incomparable w.r.t. the successor relation in R, since they are labelled by the 
same state. We claim that the run R' obtained from R by replacing Ry by a 
copy of Rx satisfies Conds. (2) and (3) of the statement. To see this, note that 
for every maximal path p' in R' containing y there is a corresponding maximal 
path p in i? containing x such that l(7Tfin(p)) = iiTTfmip')) (here TTfin is meant 
w.r.t. R.) Moreover, the nodes in p\7rrm(p) (resp. in p'\7rRn(p')) are labelled by 
events from E \ Ef^iR). 

For subtrees R' of R we define m(R') as 

m(R') = max{|7rfin(p)| | p is a path in R'} . 

Note that m(R') is defined w.r.t. R, i.e. 7rfln(p) is given by R. We show below 
by induction on m(R') how to obtain a run R satisfying the requirement of the 
proposition with regard to This means that any two vertices x,y of R 

with l(7Tfin(x)) = iiwfmiy)) will have equal subtrees. However, we will obtain 
EfiniR) £ EfiniR)- If EfiniR) — EfiniR) then we are done, since in this case 
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7Tfin(p) as given by R is the same as wnnip) as given by R. Otherwise we repeat 
the construction with R. After at most \E\ steps we obtain the desired run. 

For defining R we consider all vertices x G Xf^n(R) at depth 1, i.e. '7Tfin(3^) = 
(xo,x) has length 1, Suppose that x is labelled by s G and let us choose 
some fixed vertex Xg of this kind, for each possible s. Consider the subtree R^, 
rooted at Xg- Clearly, m{Rx,) < m{R). By induction we may assume that any 
two vertices y, z in R^^ with l(7Tfin(|/)) = ^(7Tfin(z)) have equal subtrees. We can 
replace all subtrees R.^ for x with 7Tfin(x) = {xq,x), £(x) = s, by R^, and obtain 
the desired run R. 

The next proposition gives the characterization for deciding the existence of 
a matching from an and-or graph into an MSC graph. 

Proposition 3. Let M be an and-or template graph and let N he a system 
graph. Let S denote the set of states of M. Then M matehes N if and only if 
there exist 

1. A set of events G ffE of M. 

2. A path X In N to a strongly conneeted eomponent C of N with G C msg{G). 

3. A tree Tq = {X.,^.,xo-,t., ev) labelled by £ : X ^ S, ev : X ^ E, sueh that 
for any two distinet nodes x,y E X whieh are either siblings or eomparable 
in Tq, £{x) ^ £{y)- Moreover, every path ofT^ matehes the path x In N. 

4- A maximal run R. of M .sueh that for every maximal path p of R, we have 
tr{ev{p)) = tr{ev{f)a), where f is a maximal path in Tq and a G G°° . 

Proof By Lem. 3, 4 and Prop. 2 we can assume that we have a maximal run R — 
(X,^,xo,£,ev) of M which satisfies the first condition of Prop. 2 and matches 
a path xXi iii X. Let G denote the strongly connected component represented 
by Xi- Let G = E\ then G C msg(xi) by Lem. 4. By assumption, the 

root xo of R belongs to Define first a tree Tq = (Xfi„(T), I, aro) by 

letting ar ^ 1 / in T(j whenever there is a path x ^ Xi ^ ^ Xk ^ y in R with 

Xi ^ Xfin(R) for every i. The tree Tq is now defined by identifying two vertices 
X, y in Tq whenever £{'k{x)) = £(7T(y)). By Cond. (1) of Prop. 2 this step is well- 
defined. By Rem. 1 every maximal path p in T has the same causal structure as 
ev(7Tfin(p))a) for some a G G°°. Moreover, Tr^nip) is a maximal path in Tq. 

Remark 2. The length of the path x in the previous proposition can be bounded 
by a polynomial in |5| and |5'|, where S' is the set of states of N. 

The next lemma implies that we can check the last condition of Prop. 3 in 
PSPACE. 

Lemma 5. Let M — (S,T,so,c,SA,Sy,V) be an and-or template graph. Sup- 
pose that we are given a state r E S, a .set L C S of sink states in M and a set 
of events I{s) C E for eaeh s E L, as well as a set G C E. Then we ean eheek 
in PSPACE whether a maximal run R = {X,^,xo,£, ev) of M exists satisfying 
the following eonditions: 
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1. State r labels the root xo of R. 

2. For every state s E L there is at least one leaf labelled by s. Moreover, every 
non-leaf node x is labelled by ev(x) E G. 

3. For every path y ^ x in R to a leaf x with i{x) = s we have either ev{y) E 
I(s) or y = Xo- 

Theorem 1. There is a PSPACE algorithm for deciding whether an and-or 
template graph M matehes a system graph N. 

Proof We have to check in PSPACE the existence of To, R, G, x, G as in 
Prop. 3. Clearly, GEE and G can be guessed and stored. By Rem. 2 the path 
X can also be stored. The problem arises with To, since the size of Tq might be 
exponential (however, the depth and the degree of Tq are linear in |5|, hence 
we can store paths of To-) The main idea is to guess the tree To implicitly, in a 
DFS traversal where we store together with the current path also the (ordered 
sequence of) siblings of the intermediate nodes. Using Lem. 5 it is sufficient to 
verify the existence of a suitable run R, piecewise, along with the DFS traversal. 

The (nondeterministic) PSPACE algorithm works as follows (see also Fig. 4). 
Assume that the current path in Tq is SQ) • • • ,s:k,k<\S\, and that we also stored 
the (ordered) sequence Li of siblings of Sj in Tq, 1 < * < k. Moreover, we guessed 
sets of events J(s) C £ for all S E Li-j-l and we verified the existence of maximal 
runs satisfying Lem. 5 with r = Si, L = I/j+i, G. If k < |5| then we can either 
proceed with DFS and guess , Lfc+i , . . . , or is a leaf in Tq and we apply 
Lem. 5 with L — <6. Furthermore we verify that (so, - ■ ■ , Sk) is downward closed 
w.r.t. the causal order in the run built so far by using Lem. 5. For this, we use 
the sets /(a,). Using Lem. 5 we checked that a suitable run with root exists 
s.t. every node on the path from to Si is labelled by an event from I(sj). 
Thus, it suffices to check for each i < j <k and each e' E I{si) that e'^- ev(sj) 
is not satisfied. Finally, we verify that the path (so, ... , Sfc) matches x and then 
we backtrack in the DFS traversal. 



3.3 Specifying Properties by And-Or Templates 

Consider a template given as an and-or MSC graph M. We want to determine 
the set of event sequences L(M) C which are described by M. That is, we 
let a E L(M) if a = ev(x) for some path x in a system graph such that there is 
a matching of some maximal run of M into the path x- Prop. 3 gives us the basic 
description of the set L(M) as a finite union over languages L(M, To, G) C 
where To is a tree labelled by states of M and G C £ is a set of events of M. 
Let a G L(M, To, G) if 

— every event e E G occurs infinitely often in a, and 

- every path of To matches a. 

For any language E E E* we denote by FLUE* the shuffle ideal generated by 
F, i.e. FLUE* — {voUiVi ■ ■ ■ \ u± - ■ - Un E E, Vi E E*}. For subsets GEE 
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Li 
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Fig. 4. Guessing the maximal run -R, resp. the path (so, • • • , Sfc) in To. 



we denote by inf(G) the set of sequences a € E°° where every event e ^ G 
occurs infinitely often. For a e we denote below by tr(a) C E°° the set of 
linearizations of the causal order of a. Let tr(F) = UoeFtr(a). 

Proposition 4. Let M be an and-or MSC template graph over the event set E. 
The language L{M) assoeiated with the template M has the form 

[JiFl±iE*)mfiG) , 

F G 

where F C E* is a finite set, tr{F) = F and G C E. 

Proof Any language L{M,Tq,G) as described above is a (finite) intersection of 
languages of the form (tr(a)LJJF*)inf(C?), where a is such that tr(a) C tr(/?) for 
some path y in Tq with /? = ev(x). Let a, fi £ E*, G, H C E. Then we have 





(tr(a)LU£;*)inf(C?) (1 (tr(/?)LJJ£;*)inf(£f) = (njJ£;*)inf(C? U H) , 
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where F contains all sequences 7 of minimal length such that for some a' C tr(a), 
l3' G tr(/?), both a',l3' are subwords of 7. Moreover, it is not hard to check that 
r can be chosen s.t. tr(r) = F. 

4 Matching LTL Properties 

In this section we consider properties (templates) specified by linear temporal 
logic. Our LTL formulas define finite or infinite strings over the alphabet E — 
{sy,ry I 1 < f J < m} of events. They are built over atomic propositions 
Pg, e ^ E, using the temporal operators X (nexttime) and U (until), and the 
Boolean connectives A, V, 

Definition 7 (LTL Matching Problem). Given a template M as an LTL 

formula (f> and a system N as an MSG graph. We say that the template M 
matehes the system N if there is some sequence of events a E E^ such that 
a 1= d* and a matehes some maximal path in N. 

Theorem 2. The LTL matching problem is PSPAGE-complete. 

We will show the above theorem in a more general setting using automata. 
Recall that every state of the system graph N is labelled by a single event. 
Thus we can easily associate to W a nondeterministic Biichi automaton An of 
the same size such that L(An) consists of all maximal executions of N. On 
the other hand it is well-known how to associate to every LTL formula (f an 
alternating Biichi automaton with 0(1^1) states accepting exactly the sequences 
satisfying d>, see e.g. [10]. Moreover, for every alternating Biichi automaton with 
n states there is an equivalent nondeterministic Biichi automaton with 
states which can be built off-line using only 0(n) space, see [6]. We are thus led 
to a language-theoretical formulation of the LTL matching problem: 

The matching problem for alternating antomata: Given an alternating 
Biichi automaton Am and a nondeterministic Biichi automaton Tliv over E. 
Then we ask whether some sequences a E L(Am), P E L(An) exist such that a 
matches /?. 

Proposition 5. The matching problem for alternating automata is PSPAGE- 
complete. 

Proof. Due to the PSPACE-hardness of the satisfiability problem for LTL it suf- 
fices to show the upper bound. Let Am denote an alternating Biichi automaton 
and let Bm = {Q, E, q^, 5, F) denote an equivalent nondeterministic Biichi au- 
tomaton as given by [6]. Let An = (Q', E, q^, 5', F') denote the nondeterministic 
Biichi automaton representing the system. By an immediate modification and 
extension of Lem. 3 we note that M matches N if and only if final states f E F, 
f E F' exist such that 

- for some paths w = (qo,--- ,Qk = f) in Bm, resp. w' = {q^,... ,q\ = /') 
in An, the execution of w matches the execution of w', i.e. ev(7r) matches 
ev(Tr'), and 
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— some loops p around /, resp. p' around /' exist satisfying msg(p) C msg(p'). 

Clearly, we can choose tt of length k < |Q|. But since |Q| e we cannot 

guess 7T directly. On the other hand, we have to match w against w' and this 
means that we have to consider permutations, due to the causal order of the 
events. To overcome these problems we consider below the shape of tt and tt' in 
more details and exploit the fact that matching allows gaps. 

We denote by Ci, (72, . . . , Cm the maximal strongly connected components 
of the subgraph of Am induced by tt'. Thus, n' = ■ ■ ■ tt^, such that w.l.o.g. tt- 

induces (7j. The components (7j are naturally ordered, and we write (7j < Cj for 
i < j. 

Consider some mapping p, matching tt into tt' . We decompose tt into maximal 
segments tt, , tt = tti • • • TTr, such that for every segment tt, all events of ev(wi) are 
matched by p into the same component Trj, for some j. Let C{%) G {1, • • • ,m} 
denote the component Cj with p{e) G tt'- for all events e in ev(7Ti). Note that 
for every 1 < * < j < r, C(i) > C(j) implies that e e' for all events e,e' with 
e occurring in ev{wi), resp. e' occurring in ev{wj). Otherwise, by the definition 
of matchings, we would require that p{e) A p{e'), contradicting C{i) > C(j). 
The second basic observation is that every segment tt, matches any path pi in 
C{%) which visits every state of C{i) sufficiently often. Therefore, we claim that 
a path TT in Bm matches some path tt' in An' if and only if 

— some maximal strongly connected components (7i , . . . , (7„ exist in ^j\r with 
Qo £ C'l, as well as transitions from C'i to C'i+i for all i, 

— w can be decomposed as w — Wi ■■■ Wr such that for every i some component 
C(i) G {C'l,. . . , Cm} exists such that msg(7Tj) C msg((7(i)), 

— for every 1 < * < j < r with C{i) > C{j) we have e ^ e' for all events e,e' 
occurring in ev(7Tj), resp. in ev{'irj). 

We already showed one direction of the claim. For the converse, assume that 
Ci,'Kj,C{k) exist as above. Let pk denote the subpath of n consisting of all 
segments tt, with C{i) = Ck- Since msg(pfc) C msg((7fc) and Ck is strongly 
connected, we can determine a path looping in Ck such that Pk matches p} 
(via some mapping p). Moreover, can be chosen such that p' = p'f ■ ■ Pm is a 
path in An- Finally the last condition above yields that w matches p'. This is 
seen by noting that for any events e,e' occurring in ev(pj), resp. ev(pj), e A e' 
implies i < j, hence also p{e) A p{C). 

The PSPACE algorithm on input Am,A-n works as follows. First we guess 
w < |(?'| strongly connected components (7i,... ,(7„. of An, such that G 
Cl and there exist edges from (7j to (7j+i, for all i. We guess the path w in 
Bm and its decomposition w — Wi - ■ - Wr on-line. The only information which is 
(temporarily) stored concerns event types, which are required in order to check 
that e 7 ^ e' for all events e,e' occurring in ev(p,), resp. ev(pj), satisfying i < j 
and C{i) > C{j). For this step, we have to record at most m subsets of E. More 
precisely, assume that Ei,. ■ ■ , Em £ E are initially empty. Along with guessing 
Wi and some C(i) = C'k we store msg(7Ti) £ E and check that for no events 
e G Ej, e' G msg(7Ti) we have e^e', whenever Ck < Cj (i.e. k < j). Then we add 
msg(7Ti) to Ek- Moreover, we verify that msg(7Tj) C msg((7(i)). 
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5 Conclusion 

In this paper we characterized the complexity of matching template MSCs which 
are given as and-or graphs, resp. by LTL formulas. Under these semantics the 
matching problem becomes PSPACE-complete. However, our proofs show that 
the increased complexity (compared with previously investigated template se- 
mantics, e.g. or-graphs) is due rather to a more succinct representation than to 
more expressiveness. This leads to the question whether using negations resp. re- 
quiring that certain events occur only finitely often might increase the expres- 
siveness. 

Acknowledgments. The referees are kindly acknowledged for the careful read- 
ing and the suggestions for improving the presentation of the paper. 
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Abstract. This paper presents a mu-calculus-based modal logic for de- 
scribing properties of probabilistic labeled transition systems (PLTSs) 
and develops a model-checking algorithm for determining whether or 
not states in finite-state PLTSs satisfy formulas in the logic. The logic 
is based on the distinction between (probabilistic) “systems” and (non- 
probabilistic) “observations”: using the modal mu-calculus, one may spec- 
ify sets of observations, and the semantics of our logic then enable state- 
ments to be made about the measures of such sets at various system 
states. The logic may be used to encode a variety of probabilistic modal 
and temporal logics; in addition, the model-checking problem for it may 
be reduced to the calculation of solutions to systems of non-linear equa- 
tions. 



1 Introduction 

Classical temporal-logic model checking [CES86, McM93] provides a basis for 
automatically checking the correctness of finite-state systems such as hardware 
designs and communication protocols. In this framework, systems are modeled 
as transition systems, and requirements are posed as formulas in temporal logic. 
A model checker then accepts two inputs, a transition system and a tempo- 
ral formula, and returns “true” if the system satisfies the formula and “false” 
otherwise. 

In traditional model checking, system models include information about the 
possible choices of execution steps in any given state. The corresponding tempo- 
ral logics then combine a language for describing properties of system “runs” with 
quantifiers for indicating when all/some of the runs of a system have a given prop- 
erty [Koz83, EH86]. When system models include probabilistic information re- 
garding their operational behavior, however, one frequently wishes to determine 
not just whether or not all/some system behaviors have a given property, but 
“how many” of them do. Many important questions of design and performance in 
distributed systems and communication protocols, such as “hot-spot” detection 
or reliability information, can be addressed more appropriately in such a proba- 
bilistic framework. Several examples of applying probabilistic model-checking to 
practical situations have been reported by Hansson [Han94]. Such motivations 
have led to the study of numerous probabilistic variants of temporal logic and 
model checking [ASB+95, BdA95, CY88, Han94, HK97, LS91, PZ93, Var85]. 



W. Thomas (Ed.): FOSSACS’99, LNCS 1578, pp. 288-305, 1999. 
(c) Springer-Verlag Berlin Heidelberg 1999 
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The goal of this paper is to develop a uniform framework for temporal log- 
ics for probabilistic systems. To this end, we show how the unifying classical 
temporal logic, the modal mu-calculus [Koz83, EL86], may be altered by adding 
probabilistic quantihers constraining the “probability” with which probabilistic 
systems satisfy mu-calculus formulas. We then show how a variety of existing 
probabilistic logics may be represented in our framework and present a model- 
checking algorithm. 

2 Probabilistic Transition Systems and the Logic GPL 

This section introduces the model of probabilistic computation used in this paper 
and dehnes the syntax and semantics of our logic. Generalized Probabilistic 
Logic. 

2.1 Reactive Probabilistic Labeled Transition Systems 

We use the reactive prohahilistie labeled transition systems (PLTS for short) 
of [vGSSTQO, LS91] as models of probabilistic computation. These are dehned 
with respect to Rxed sets Act and Prop of atomic actions and propositions, 
respectively. The former set records the interactions the system may engage in 
with its environment, while the latter provides information about the states the 
system may enter. 

Definition!. A PLTS L is a tuple (S', 6, P, 7), where 

— (s, s' , Si g)S is a countable set of states; 

— 6 C S X Act X S is the transition relation; 

— P : (5 ^ (0, 1], the transition probability distribution, satisfies: 

^ F(s,a,s')e {0,1} 

(s,a,s')£i 

for all s G S, a G Act; and 

— I : S ^ is the interpretation function. 

Intuitively, a PLTS records the operational behavior of a system, with S repre- 
senting the possible system states and 6 the execution steps enabled in different 
system states; each such step is labeled with an action, and the intention is that 
when the environment of the system enables the action, the system may engage 
in a transition labeled by the action. When this is the case, P(s, a, s') represents 
the probability with which the transition (s, a, s') is selected as opposed to other 
transitions labeled by a emanating from state s. Note that the conditions on P 
ensure that if (s, a, s') G 6 for some s' , then ^ s')ei -P}®! ~ ^ what 

follows we write s A s' if (s, a, s') G 6. 

In this paper we wish to view a (state in a) PTLS as an “experiment” in 
the probabilistic sense, with an “outcome”, or “observation”, representing a res- 
olution of all the possible probabilistic choices of transitions the system might 
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experience as it executes. More specifically, given a state in the PLTS we can 
unroll the PLTS into an inhnite tree rooted at this state. An observation would 
then be obtained from this tree by resolving all probabilistic choices, i.e. by 
removing all but one edge for any given action from each node in the tree. Fig- 
ure 1 presents a sample PLTS, its unrolling from a given state, and an associated 
observation. 




(a) PLTS 




(c) an observation 







(b) Its unrolling 



Fig. 1. A PLTS, its unrolling from a state, and an observation. 



2.2 Syntax of GPL 

Generalized Probabilistic Logic (GPL) is parameterized with respect to a set 
(X,Y ^)Var of propositional variables, a set (a,b ^)Act of actions, and a set 
(A ^)Prop of atomic propositions. The syntax of GPL may then be given using 
the following BNF-like grammar, where 0 < p < 1. 

(f) ::= A \ \ (f)i A (f>2 \ (f>i V (f)2 \ Ti>pt/> | JE>pXp 

t/> ::= (/) I X I t/>i A t/>2 I t/’i V t/>2 I (a)t/> | [a]t/> | pX.'tp \ vX.tl) 

The operators p and v bind variables in the usual sense, and one may define the 
standard notions of free and bound variables. Also, we refer to an occurrence 
of a bound variable A in a formula as a p-occurrence if the closest enclosing 
binding operator for A is p and as a iz-occurrence otherwise. GPL formulas are 
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required to satisfy the following additional restrictions: they must contain no 
free variables, and no sub-formula of the form fiX.ip (i/ X.'tp) may contain a free 
i^-occurrence (//-occurrence) of a variable.^ In what follows we refer to formulas 
generated from nonterminal (j) etc. as siaie formulas and those generated from 
as fuzzy formulas; the formulas of GPL are the state formulas. We use (f, 
to represent the set of all state formulas and (t/>, ip' for the set of all fuzzy 
formulas. In the remainder of the paper we write 7[7V^] to denote the the 
simultaneous substitution of for all free occurrences of X in 7 . We also note 
that although the logic limits the application of -1 to atomic propositions, this 
does not restrict the expressiveness of the logic, as we indicate later. 

The next subsection defines the formal semantics of GPL, but the intuitive 
meanings of the operators may be understood as follows. Fuzzy formulas are to 
be interpreted as specifying sets of observations of PLTSs, which are themselves 
non-probabilistic trees as discussed above. An observation is in the set corre- 
sponding to the fuzzy formula if the root node of the observation satisRes the 
formula interpreted as a traditional mu-calculus formula: so {a)ip holds of an 
observation if the root has an a-transition leading to the root of an an obser- 
vation satisfying ip, while it satisfies [a\ip if every a-transition leads to such an 
observation. Conjunction and disjunction have their usual interpretation. jiX.ip 
and V X.ip are fixpoint operators describing the “least” and “greatest” solutions, 
respectively, to the “equation” X — ip. li will turn out that any state in a given 
PLTS defines a probability space over observations and that our syntactic re- 
strictions ensure that the sets of observations defined by any fuzzy formula are 
measurable in a precise sense. State formulas will then be interpreted with re- 
spect to states in PLTSs, with a state satisfying a formula of the form My pip if 
the measure of observations corresponding to the state is at least p. 

2.3 Semantics of GPL 

This subsection formalizes the notions described informally above. We first define 
observations of a PLTS and show how the observations from a given state in a 
PLTS form a probability space. We then use these probability spaces to interpret 
GPL formulas. In what follows we fix sets Act and Prop. 



PLTSs and Measure Spaces of Observations To define the observation 
trees of a PLTS we introduce partial computations, which will form the nodes of 
the trees. 

Definition2. Let L = (S,6,P,I) be a PLTS. Then a sequence of the form 

50 ^ Si ■ ■ ■ s„ is a partial computation of T if u > 0 and for all 0 < i < n, 

a,+ i 

51 Si+l . 

Note that any s G S' is a partial computation. If cr = sg sg • • • ^ is a 
partial computation then we define fst((r) to be sg and lst((r) to be s„. We also 



^ In other words, formulas must be alternation-free in the sense of [EL86]. 
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use ^)Cl to refer to the set of all partial computations of L and take 

Cl{s) = {o' (z Cl \ fst((j) = s} for s £ S. We define the following notations for 
partial computations. 



Definitions. Let cr — Sq ^ Si ^ s„ and cr' — Sq ^ s[ ■ ■ ■ ^ 
computations of PLTS L = (S, 6, P, I), and let a G Act. 

1. If s'q then cr cr' is the partial computation sq si • • • 




2. cr' is a prefix oi a ii a' = sq ^ si ■ ■ ■ ^ Si for some i < n. 



®n' be partial 




We also introduce the following terminology for sets of partial computations. 

Definition4. Let L = (S,6,P,I) be a PLTS, and let C7 C be a set of 
computations. 

1. C is prefix-closed if, for every cr G C and a' a prehx of cr, cr' G C. 

2. C is deiermtmsitc if for every a,ir' £ C with a — sq -A ,si ■ ■ ■ s„ s ■ ■ ■ 

and a' — So ^ si ■ ■ ■ s„ s' • • •, either a' oi s — s' . 

The term prehx-closed is standard, but the notion of determinacy of sets of 
partial computations deserves some comment. Intuitively, if two computations 
in a deterministic set of partial computations share a common prehx, then the 
hrst difference they can exhibit must involve transitions labeled by different 
actions; they cannot involve different transitions with the same action label. 

We can now dehne the deterministic trees, or d-irees, of a PLTS L as follows. 

Definitions. Let L = (S,S,P,I) be a PLTS. Then 0 yt T C is a d-tree if 
the following hold. 

1. There exists an s G S' such that T C Cl{s). 

2. T is prehx-closed. 

3. r is deterministic. 

If C is a d-tree then we use root(C') to refer to the s such that C C Cl(s) and 
edges(C') to refer to the relation {(cj, a, cr') | cj, cr' G C A 3s' G S.cr' — cr Cfi 

We use Tl to refer to all the d-trees of L and set Tl(s) = {T G Tl \ root(r) = 
s}. We call T' a prefix of T if T' C T. We write T -^T' ii {root(r) A cr' | cr' G 
T'{ C T] intuitively, T' is then the subtree of T pointed to by an a-labeled edge. 
A d-tree T is finite if |r| < oo. Finally, we say that a d-tree is maximal if there 
exists no d-tree T' with T C T' and use A4l and A4i(s) to refer to the set of 
all maximal d-trees of L and all maximal d-trees of L rooted at s, respectively. 

We wish to view the maximal deterministic d-trees of a PLTS as the “out- 
comes” of the PLTS and to talk about the likelihoods of different sets of out- 
comes. In order to do this, we dehne a probability space over maximal d-trees 
rooted at a given state of L. The construction of this space is very similar in 
spirit to the standard sequence space construction for Markov chains [KSK66]: 
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we define a collection of “basic cylindrical sets” of maximal trees and use them 
to build a probability space over sets of maximal trees. The technical details 
appear below; in what follows, Rx T = (S, 6, P, I). 

A basic cylindrical subset of M.l{s) contains all trees sharing a given finite 
prefix. 

DefinitionG. Let s £ S, and let T £ Tl(s) be finite. Then Bt Q A4l(s) is 
defined as: Bt ^ e Ml \ T C V}. 

We can also define the measure of a basic cylindrical set as follows. 

Definition?. Let T £ 'Tl(s) be finite, and let Bt be the associated basic cylin- 
drical set. Then the measure, m(i?T), of Bt is given by: 

m(ST) = a, lst(,r')). 

Intuitively, m(BT) represents the proportion of all maximal d-trees emanating 
from the root of Bt that have Bt as a prefix. 

For any given state s in L we can form the associated collection of basic 
cylindrical sets B~ consisting of sets of the form Bt for finite T with root(T) = s. 
We can then define a probability space (Ml(s), Bg , rus) as follows. 

Definitions. Let s E S. Then Bg is the smallest field of sets containing B~ and 
closed with respect to denumerable unions and complementation, rrig : Bg ^ 
[0, 1] is then defined inductively as follows. 

ms (St) = m(i?T) 

rrisd^ Sj ) = mg(Bi) for pairwise disjoint B^ 
iei iei 

ms(i?®) = 1 - ms(S) 

It is easy to show that for any s, rris is a probability measure over Bg. Conse- 
quently, (Ml(s), Bg , ms) is indeed a probability space. We refer to a set M C 
Ml(s) as measurable if M E Bg. 



Semantics of Fuzzy Formulas In the remainder of this section we define the 
semantics of GPL formulas with respect to a fixed PLTS L = (S,6,P,I) by 
giving mutually recursive definitions of a relation |=tC S x and a function 
0L : 'P 2^^ . The former indicates when a state satisfies a state formula, while 
the latter returns the set of maximal d-trees satisfying a given fuzzy formula. In 
this subsection we present 6 >t; the next subsection then considers In what 
follows we fix L = {S, 6, P, I). 

Our intention in defining &l('4’) i® that it return trees that, interpreted as 
(non-probabilistic) labeled transition systems, satisfy ip interpreted as a mu- 
calculus formula. To this end, we augment 0l with an extra environment pa- 
rameter e : Var ^ 2^^ that is used to interpret free variables. The formal 
definition of &l i® the following. 
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Definition 9. The function &l is defined inductively as follows. 

- &L((t))e = Us\=^^Ml(s) 

- 0L{X)e = e{X) 

- 0L{{a)i>)e = {r I : r ^ r A r e 6>L(t^)e} 

- 6>i([a]^)e = {r I (r ^ r) ^ r e 6>i(^)e} 

- 6>i(t/’i A t/’2)e = 6>L(t/’i)e n 6>L(t/’2)e 

- 6>i(V’i V V’2)e = 6>i(V’i)e U 6>i(V’2)e 

“ 0L(iiX.ip)e — UAq^A where Mq = 0 and Mf+i = 0L{il>)e[X ^ Mi], 

- 0L{i^X.ifj)e — rij“o^A where No — Ml and iVi+i = 6>i(V’)e[X iVi]. 

When t/> has no free variables, 0('ip)e — 0(ip)e' for any environments e,eA In 
this case we drop the environment e and write 6 >l(V’)- 

Some comments about this definition are in order. Firstly, it is straight- 
forward to show that the semantics of all the operators except ^ and v are 
those that would be obtained by interpreting maximal deterministic trees as 
labeled transition systems and fuzzy formulas as mu-calculus formulas in the 
usual style [Koz83]. Secondly, because d-trees are deterministic it follows that if 
T G 0L{{a)ip) then T G 6>i([a]t/>). Finally, the definitions we have given for /j, 
and i> differ from the more general accounts that rely on the Tarski-Knaster hx- 
point theorem. However, because of the “alternation-free” restriction we impose 
on our logic and the fact that d-trees are deterministic, the meanings of iiX.'ip 
and vX.'tp are still least and greatest fixpoints in the usual sense. 

We close this section by remarking on an important property of 0l- For 
a given s G S' let 0l,s{4’) = 0l('4’) FI Ml(s) be the maximal d-trees from s 
“satisfying” t/>. We have the following. 

Theorem 10. For any s £ S and ip (Ed/, 0L,s{ip) measurable* . 

Semantics of State Formulas We now dehne the semantics of state formulas 
by defining the relation \=l ■ 

Definition!!. Let L = {S,6,P,F) be a PLTS. Then \^l is defined inductively 
as follows. 

- s |=£ A iff A G I{s). 

- s \^l ^Aiff A^/(s). 

- s 1—1 </)i A </)2 iff s N <Pi and s (po- 

- s (f>i V (f>2 iS s (f>l 01 s (f>2- 

- s \=l JEyppj iff ms{0L,s(ip)e) > P- 

- s 1=1^ iff ms(6>L,s(V’)e) > P- 

An atomic proposition is satisfied by a state if the proposition is a mem- 
ber of the propositional labeling of the state. Conjunction and disjunction are 
interpreted in the usual manner, while a state satisfies a formula iE>pt/> iff the 
measure of the observations of ip rooted at s exceeds p, and similarly for iE>pt/>. 

* The question of whether the observations of non-alternation free formula are mea- 
surable is still open 
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Properties of the Semantics We close this section by remarking on some of 
the properties of GPL. The first shows that the modal operators for fuzzy formu- 
las enjoy certain distributivity laws with respect to the propositional operators. 

Lemma 12. For a PITS L, fuzzy formulas ipi and t />2 and a C Act, we have: 

1. 6>i((a)(V’i V V’ 2 )) = 0i((a)V’i V (a)V’2) 

2 . 6>i([a](V’i V V’ 2 )) = 0i([a]V’i V [a]V’ 2 ) 

3. 6>i((a)(t/>i A t/>2)) = 6>i((a)t/>i A (a)t/>2) 

4 . 0Li[a\(ipi A t/>2)) = 0Li[a]ipi A [a]t/>2) 

5. 6>L([a]t/’i A (a)t/>2) = 6>i((a)(t/>i A t/>2)) 

That [a] distributes over V and (a) over A is due to the determinacy of d-trees. 
Based on Theorem 10 and the definition of the next lemma also holds. 

Lemma 13. Lei s C S', a C Act and t/>, ipi,ip 2 C 'P ■ Then we have the following. 

ms(6>i(V’i V V’ 2 )) = m5(6>i(V’i)) + m5(6>i(V’2)) - ms(6>i(V’i A V’ 2 )) (1) 

ms{0L{(a)i:)) = ^ F(s, a, (2) 

( s , a , s ^')^6 

m,(0i([a]r^)) = ( V”)) if (s,a, s0 C ^ for some 

1 otherwise 



Finally, although our logic only allows a restricted form of negation, we do have 
the following. 

Lemma 14. Let L = (S, 6, P, L) be a PLTS with s £ S, and let t/> and f be fuzzy 
and state formulas, respeetively. Then there exist formulas neg(^) and neg((/)) 
such that: 

0L,sineg{ip)) = Ml{s) - 0L,sW and s \=l ntg{<f>) s <f>- 
Proof. Follows from the duality of A/V, [a]/(a), v/ p, and iE>p/iE>i_p. 



3 Expressiveness of GPL 

In this section we illustrate the expressive power of GPL by showing how three 
quite different probabilistic logics may be encoded within it. 



3.1 Encoding Probabilistic Modal Logic 

Probabilistic Modal Logic (PML) [LS91] is a probabilistic version of Hennessy- 
Milner logic [HM85] that has been shown to characterize probabilistic bisimu- 
lation equivalence over PLTSs. The formulas of the logic are generated by the 
following grammar: 




296 



Murali Narasimha et al. 



where 0 < p < 1, A G Prop and a G Act. Formulas are interpreted with respect 
to states in a given PLTS L = {S,6,P,I) via a relation S X <f). The 

dehnition appears below; the cases for -i and A have been omitted. 

s ^ iSAe I(s) 

s \=PML iff I (s,a,s')a A - P 

Note that a state ,s satisRes {a)p(f> provided that the probability of taking 
an a-transition to a state satisfying (f) is at least p. This observation suggests 
the following encoding function Epml for translating PML formulas into GPL 
formulas. 



EpML{<f>) 



(f) if G Prop 

EpMLi<f>l) A Epml{<I> 2) a (f) = (f>l a (f>2 

n eg (T 'pml (<?!')) A (f) - 

^M>p{a)EpML{<t)') A (f) - {a) p(f)' 



In essence, the translation effectively replaces all occurrences of (a)p by iE>p. 
We have the following. 

Theorem 15. Let (f> he a PML formula and s he a .state of PLTS L. Then 
g ^ g ^ EpMLif)- 



3.2 Encoding pCTL* 

pCTL* [ASB+ 95] represents a probabilistic variant of the temporal logic CTL* [EH86]. 
The latter logic is interpreted with respect to Kripke structures; the former is 
interpreted with respect to structures referred to in [ASB+95] as Markov pro- 
cesses (MP), which may be viewed as probabilistic Kripke structures. It turns 
out that MPs form a subclass of PLTSs. This section will show that pCTL* has 
a uniform encoding in GPL. 

A Markov process may be seen as a PLTS having only one action and in 
which every state has at least one outgoing transition. 

Definition 16. Let Act — {a}. Then a Markov process (MP) is a PLTS {S, 6, P, L) 
such that for any s e S, P{s, a, s') = 1. 

It is straightforward to see that the d-trees of a MP are in fact isomorphic 
to sequences of states from the MP: a sequence tt = sqSi . . . coincides with the 
d-tree {(Jo, ci, . . where (Tq = sq and = (Tj- ^ Sj-_|_i. It then turns out that 
the measure space of d-trees for a state in a MP coincides with the standard 
sequence space construction for Markov chains [KSK66]. Consequently, in the 
following we will use the function rris to refer to the measure of both sets of 
sequences and sets of d-trees. We also use the following notations on infinite 
sequences tt = SgSi . . •: 7r[i] = and tt* = Sj-Sf-i-i . . .. 
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Interpreting GPL over Markov Processes As every state in a MP has an 
outgoing transition, the semantics of the GPL constructs {a)'ip and [a]^ coincide. 
That is, when Af is a MP following from Dehnition 9 implies that Om{{o.)'4’) — 

0M([a]V’)- 

In the rest of this subsection we will show that pCTL* can be encoded in 
GPL. What makes the encoding possible are that: 

— The logic GPL is a two-level logic, much like CTL* and pCTL*. Conse- 
quently, probabilistic quantihers in pCTL* formulae can be translated to 
probabilistic quantiher of GPL formulae. 

— The semantics of fuzzy formulae are sets of sequences, when the model is 
a Markov chain, and thus, fuzzy formulae play the role of linear-time fi- 
calculus formulae. Given that alternation-free linear time modal //-calculus 
is as expressive as linear time temporal logic (LTL) [Sti92], the LTL portion 
of pCTL* (i.e., the path formulae of pCTL*) can be embedded into fuzzy 
formulae. 

This encoding contrasts with the encoding of CTL* into modal //-calculus [EL86] , 
where alternation is needed in the translation; the reason being that, unlike GPL, 
modal //-calculus does not have path quantihers. 



pCTL* Let {A ^)Prop be a set of atomic propositions. The grammar below 
summarizes the syntax of pCTL*, which has two levels — state formulas ((f)) and 
path formulas (t/>). State formulas specify properties that hold in states of a MP 
while path formulae specify properties of execution sequences. 



<f> ::= A \ ^<f> \ <f>i y <f>2 \ Pr<pV I Prypi’ 
//) ::= ,;A I -,//) I //)! V V’2 I XV’ I V’iUV’2 



Here Pryp and Pr^p are probabilistic quantihers, while X denotes the next-state 
and U the until operator, respectively 

The semantics of pCTL* formulas is given with respect to a MP M — 
(S, 6, P, I) via a relation relating states in M to state formulas, and paths 
(inhnite state sequences) in M to path formulas. The interpretations of -i and V 
are standard, and we omit them; what follows dehnes the meanings of the other 
operators. 



A iffAe/(s) 

« Pr<p^P iffm,({7T I 7T 

« Prypi’ iffm,({7T | tt 

^ (t> iff 7 t[0] 1=^^^ <t> 

^ ^ XV- iff TT^ \=M^^ i’ 

^ Vi U V’2 iff > 0 : tt* 



V}) < p 
V}) > p 



V 2 A Vj : 0 < j < A; : TT* 



\_pCTL 

\—M 



i’l 



Our encoding of pCTL* in GPL translates state formulas into state formulas and 
path formulas into fuzzy ones. Our approach relies on the following recursive 
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characterization of U: tt |=m V’l U t/’2 iff tt |=m V ’2 V (t/ii A X(t/’i U t/’2))- The 
encoding may now be given as a function EpCTL* as follows, where 7 is either a 
state formula or a path formula. 



E, 



•pCTL 



1 

r\tg{EpCTL*{^(')) 

EpCTL*{;'(l) V EpCTL*{j2) 

(7) = <( jE>pneg(£'pCTL»(V’)) 

MypEpCTL* (V") 

{a) EpCTL* {ip) 

y HX.{EpCTL*{lp2) V {EpCTL*{lpl) 



if 7 G Prop 
if 7 = -17^ 
if T = Ti V 72 
if 7 = Pr<pip 
if 7 = Pr>pip 
if 7 = Xt/> 

{a)X)) if 7 = t/)i U t/’2 



We now have the following. 



Theorem 17. Let M be a MP, let s be a state m M, and let it be a path m M . 
Then: 

1. For any pCTL* state formula ep, s <p iff s \=m EpCTL*{<P)- 

2. For any pCTL* path formula ip, tt tf iff tt £ 0M{EpCTL*{ip j) 



3.3 Reconstructing the Logic of Huth and Kwiatkowska 

Huth and Kwiatkowska develop a notion of quantitative model cheeking [HK97] in 
which one calculates the likelihood with which a system state satisfies a formula. 
The basis for their approach lies in a semantics for the modal mu-calculus that 
assigns “probabilities”, rather than truth values, to assertions about states in 
a PLTS. In this section we briefly review their approach, offer a criticism of it, 
and show how GPL provides a principled means of remedying the criticism. 

The syntax of their logic coincides with the semantics of our fuzzy formu- 
las with the following exceptions: (1) they allow negation (although in such 
a way that negations can be eliminated in the usual manner); (2) the only 
atomic propositions are tt (“true”) and ff (“false”); (3) no use of the proba- 
bilistic quantihers iE>p and iE>p is allowed. They then present three semantics 
for the logic that differ only in their interpretation of conjunction. Each inter- 
prets formulas as functions mapping states to numbers in [0, 1]; formally, given 
PLTS L, IpPIl '■ S [0,1] represents the interpretation of formula ip. What 
follows presents the relevant portions of these semantics. 



|tt]L(s) = 1 

[(a)V’li(s) = XI -P(s>«gO • 
hpi A V’21l(s) = /([[i/’i1l(s), 1[i/’21l(s)) 

The meanings of the other boolean and modal operators may be obtained using 
dualities (e.g. [[ci]V’1l(®) = 1 ~ ([(®)“'V’l)) while the meanings of fixed points 
may be obtained using the usual Tarski- Knaster construction. The semantics of 
A contains a parameter /; [HK97] provides three different instantiations of /. 
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1- f(x, y) = min(*, y) 

2. fix, y) =x - y 

3- fix, y) = max(* -h t/ - 1, 0) 

Each unfortunately has its dravcbacks. The first tvco fail to validate some ex- 
pected logical equivalences; for example it not the case that tt is equivalent to 
Ip V -'tp. The authors refer to the third as a “fuzzy” interpretation and indicate 
that it is intended only to provide a “lovcer approximation” on probabilities; 
“real” probabilities are therefore not calculated. 

GPL permits a similar interpretation to be attached to the mu-calculus, but 
in such a way that exact probabilities may be assigned to formulas. Consider the 
function given by: 

One can show that this interpretation preserves much of the semantics of Huth 
and Kwiatkowska; in particular, Lemmas 13 and 14 show that this definition at- 
taches the same interpretations to the modalities. It is also the case that expected 
logical equivalences hold, and that this interpretation yields a probability with 
a precise, measure-theoretic interpretation. Finally, it should be easy to observe 
that our logic coincides with probabilistic bisimulation [LS91] - a property not 
true of Huth and Kwiatkowska’s interpretation. 

4 Model Checking 

This section now describes a procedure for determining whether or not a given 
state in a Rnite-state PLTS satisfies a GPL formula. We present the algorithm 
in two stages. The first shows how to calculate the measure of observations that 
are rooted at a given PLTS state and satisfy a fuzzy formula; the second then 
shows how this routine may be used to implement full GPL model checking. 
We assume that the formulas to be considered have no unguarded occurrences 
of bound variables. That is, in every sub-formula of the form aX.ip, where a is 
either y or v, each occurrence of W in V" falls within the scope of a (a) or a [a] 
operator. Any mu-calculus formula may be transformed into one satisfying this 
restriction. In the remainder of this section we fix a specific PLTS L = (S', 6, P, I). 

4.1 Computing the Measure of Fuzzy Formulas 

This subsection sketches a procedure modchk-fuzzy whose task is to compute 
ms„(0L(V’)) for a given fuzzy formula tp and a state sq of the PLTS. The algo- 
rithm consists of the following steps. 

1. From L, Sg and tp, construct a dependency graph. 

2. From the graph, extract a system of (non-linear) measure equations. 

3. Calculate a specific solution to these equations; one of the results will be 

m.„(6>L(t/’))- 

The remainder of this subsection describes each of these steps in more detail, 
with intuitive explanations for why the constructions work. 
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A graph construction. The first step in modchk-fuzzy involves constructing a 
graph that describes the relationship between the quantity m 5 g( 0 L(V’)) that we 
wish to compute and quantities of the ioim.ms{0i{ili' )), where s is a derivative of 
So and ip' a formula derived appropriately from ip. This graph will have vertices 
of the form (s, F), where s G S' and S’ is a set of fuzzy formulas. The edges from 
(s,F) then provide “local” information regarding ms(0i(AS’)). 

In order to dehne the graph formally we need the following notions. 

Definition 18. For a closed fuzzy formula V" dehne the closure, written as C/(V’), 
as the smallest set of formulae satisfying the following rules: 

— Ip e ci(ip) 

— if Ip' — Ip I /\ ip 2 or ipi V ip 2 then ipi, ip 2 £ Cl{ip) 

— if Ip' — {a)ip" or [a]ip" for some a £ Act, then ip" £ Cl(ip) 

— if Ip' — aX.ip" then ip" [a X ,ip" / X] £ Cl{ip) {a is either jj. or v) 

One may easily show that Cl{ip) contains no more elements than ip contains 
sub-formulas. 

The node set N in the graph is the set S x that is, nodes have form 

(s, F), where s £ 5 and F C Cl{ip). We further introduce the following classih- 
cation on nodes. 

— (s, F) is a true node if F’ = 0 or if every element of F has form [aP\ip' and for 
every such a, s is incapable of an a-transition. 

— (s, F) is a false node if there exists a state formula <p d F with s <p or if 
there exists a formula of the form {a) ip' and s is incapable of an a-transition. 

— (s, F) is an and-node if there exists a formula ipi /\ ip 2 E F . 

— (s, F) is an action-node if every formula in F has form {a)ip' or [a]t/>£ 

— {s,F) is a [I-node if there exists a formula ip' ^ F containing a top-level 
Rxpoint sub-formula of form [iX.ip"] it is a v-node otherwise. 

Note that these categories overlap one another. 

The edges in the graph are labeled by elements drawn from the set Act U 
{e+, (where it is assumed that ^ Act). The edge set E C N x (Act U 

{e+, e“}) X W is defined as follows. 

1. If n = (s, F) is a true node or a false node,® then n is a sink node; 

2. else if (s, F) contains state formulas then ((s, F),c~^ , (s, F')) £ E, where F' 
is F with all state formulas deleted; 

3. else if (s,F) contains a Rxpoint formula ip' = aX.ip" (where a is [i or v) 
then ((s, F),c+,(s, F - {iP'} U WW/X]})) £ E; 

4. else if Ip - ipi A ip 2 e F then ((s, F), e+, (s, F - {ip} U [ipi, 1 P 2 })) £ E] 

5. else if (s, E) is not an and-node and ip — ipiW ip 2 & E then ((s, E), e"*", (s, E — 
{V’}U{V’i}) £ E, ((s,F’),e+,(s,F’-{V’}U{V’ 2 }) £ E, and ((s, E),e- ,(s, E - 
[ip] U {ipi,ip2})) £ E; 

® Determining whether a node is false may reqnire determining if s |=i (p for some state 
formula. This can be done by (recursively) invoking the model-checking procedure 
described in the next section. 
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6. else if (s,F) is an action node, let Fa — {tp' \ ^ F oi G F}. 

Then for any a G Act vcith Fa ^ $ and s' £ S such that {s,a,s') G 6, 
((s, F), a, (s', Fa)) G E. 

Intuitively, an edge ({s, F),l, (s' , F')) indicates a “local relationship” between 
ms(6>L(A-F)) and msi(0L(/\F')). To see this, first note that if (s,F) is a true 
node (false node) then ms(0L(Ai^)) = 1(0). Now suppose that (s,F) is an or- 
node to which case 5 applies. This means that F — F' U {ipi V V’ 2 }j and the 
semantics of the logic entails that hF and (AT' A V’l) V (AT' A V’ 2 ) are logically 
equivalent. From Lemma 13 we may therefore conclude the following. 

ms(<9L(AT)) = ms(6>L(AT'At/>i))+ms((9L(AT'At/>2))-ms(6>L(A(T'u{t/>i, t/>2}))) 

This observation is encoded in the e"*" and c~ edges emanating from (s,F). 
Similar observations hold for the other nodes, with the exception of action nodes, 
which we discuss in more detail below. 

Generating equations from the graph. We now explain how to generate a system 
of equations from the graph described above. The system will contain one vari- 
able, X„, for each node n in the graph and one equation containing this variable 
as its left-hand side. The right-hand side of the equation for X„ is generated as 
follows, based on the edges emanating from n. 

1. If n is a true node then the equation for Xn is Xn = 1; if n is a false node, 
the equation for is = 0. 

2. If there is an edge of the form (n, e+, n') then the equation for X„ is 

(n ,e+ ,n')G£^ ((n,£~ ,n')E.E 

3 . If n = (s,F) is an action node, let A„ — {a \ (n,a,n') G T}. Then the 
equation for Xn is 

n E (^"(Ta,sO-^(.',F'))- 

a^Ar, (n,a,(s',F'))eE 



Intuitively, these equations are intended to reflect relationships among the mea- 
sures associated with each vertex. The right-hand side of in the equation associ- 
ated with an action node reflects this intuition. A small example illustrates why. 
Suppose that action node (s, T) is such that T = {{ei)ipi , (&)t/’ 2 }- Since this is not 
a false node, it follows that s has both a- and &-transitions. The question is, what 
is the measure of observations rooted at s and satisfying AT? Each such obser- 
vation would select one a-transition and one &-transition from s, with the target 
of the a-transition then being the root of an observation satisfying t/>i and simi- 
larly for the target of the 6 -transition. For a given combination of single a- and 
6 -transitions with target states Sg and sj, the measure of observations using these 
transitions and satisfying AT is P(s, a, Sa)-m 5 ^( 6 >i(V’i))-T(s, 6 , S 6 )-msj,( 6 >i(V’ 2 ))- 
Using simple symbol pushing, it is then easy to show that the total measure of 
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observations emanating from s and satisfying AF’ is characterized by the right- 
hand side of the equation above. 

We now have the following. 

Lemma 19. Let E = {X„ — E„} be the equations generated above, and let A 
be the “vector” = ms(0L(Ai^))}, where n = (s,F). Then A is a solution to 

E. 

Solving the equations. The previous lemma indicates that the equations we gen- 
erate are “faithful” to the measures we wish to calculate in the sense that they 
are indeed a solution to the equations. However, in general there will be many 
such solutions, and the question then arises as to how we determine which solu- 
tion indeed corresponds to the measures we want. The procedure modehk-fuzzy 
does so as follows. 

1. Compute the strongly connected components of the graph from which the 
equations are constructed and topologically sort them. 

2. Propagate solutions as far as possible: If a solution has been computed for 
a variable, replace all occurrences of the variable in the right-hand sides by 
the variable. 

3. Beginning at the end of the strongly connected component list, process each 
component C as follows. 

(a) If C contains a //-node, assign each variable corresponding to a node in 
C the value 0; otherwise, assign each variable the value 1. 

(b) Repeatedly calculate new values for the variables of C by evaluating each 
right-hand side using the old values. Stop when values don’t change (or 
fall within a tolerance e that is a parameter to the algorithm). 

(c) Propagate these values. 

In general, this algorithm requires the specification of an “error tolerance” e 
because the quantities being manipulated are real numbers. So the algorithm 
is approximation-based. However, all the functions being used are continuous, 
and hence the iteration process described above converges. We now have the 
following. 

Lemma 20. Let s (L S and ip be a fuzzy formula. Then the quantity calculated 
for X(s ^yjYj converges to ms(6>i(t/>)). 

4.2 Model Checking and GPL 

The procedure modehk-fuzzy may now be used to build a model-checker for GPL. 
This model checker engages in a case analysis on the formula <f) and performs 
the obvious operations if the formula is not of the form iE>pt/> or iE>pt/>. In these 
latter two cases, modehk-fuzzy is called to calculate ms(0L(t/>)), and the answer 
compared to p appropriately. As modehk-fuzzy is an approximation-based nu- 
merical algorithm, the usual numerical issues must be confronted in performing 
these comparisons. In particular, if the computed answer is close enough to p to 
fall within the margin of error, then only indeterminate answers can be given. 
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4.3 Discussion about complexity 

The algorithm just described relies on the use of numerical approximation tech- 
niques. However, in certain cases exact solutions can be calculated. For example, 
if the PLTS is in fact a MP then the equation system generated is linear. In ad- 
dition, results of [CY88] suggest that this linear system can be converted into 
one that has a unique solution. In this case, the equations can be solved exactly. 

The non-linearity of the equations we consider, for model-checking PLTS, 
is a direct consequence of the program model (which allows different kinds of 
actions, i.e., when \Act\ > 1) and our semantics (where observations are deter- 
ministic trees). Consequently, non-linearity in the measure equations is a fact 
that any solution technique, we adopt, will have to contend with. Furthermore, 
since there can be no direct technique for solving arbitrary polynomial equations 
(due to a result of Galois) we will have to depend upon iterative techniques. A 
characteristic of iterative techniques, shared by our work, is that the complexity 
depends upon the precision of answers demanded. We have been investigating the 
use of symbol algebra tools, such as Maple, in implementing our model-checking 
procedure and hope to report our experiences in the near future. 

5 Concluding Remarks 

We have presented a uniform framework for dehning temporal logics on reactive 
probabilistic transition systems. Our approach is based on using the modal mu- 
calculus to dehne measurable sets of observations of such systems. We have shown 
that our logic is expressive enough to encode two different existing temporal 
logics, and we have also demonstrated that it may be used to rectify an infelicity 
in a third. A model-checking procedure for the logic was also presented. 

As for future work, we believe that we can improve on the algorithm pre- 
sented here by using results similar to those in [CY88] to transform our equation 
systems into ones having unique solutions. If this is the case, then we can use 
traditional solution techniques for nonlinear equations to compute measures in a 
numerically robust manner. We would also like to implement these algorithms. 
Another important issue for future work is that of applying our logic to more 
general transition systems (for example, the transition systems of [Seg95]) and es- 
tablishing its relation to probabilistic automata[Paz71]. Such an extension would 
allow translation of pCTL* interpreted over probabilistic non-deterministic sys- 
tems into our framework, much like the translation we have shown in this paper, 
and provide an efficient model-checking procedure for the same. It would also be 
useful to investigate the adaptation of our techniques to models of distributed 
computation in which resources may probabilistically fail, such as the one pre- 
sented in [PSC+98]. 

The work being presented here also has applications to edge-proRle-driven 
data flow-analysis [Ram96, BGS98], where the likelihood with which program 
properties hold is calculated; such calculation can then be used to perform 
profile-driven optimization [BL92]. Recent work [Ste91, Sch98] on reducing tradi- 
tional data flow analysis problems to a model-checking problem can be extended 
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to reduce profile driven DFA to probabilistic model-checking, and we propose to 

investigate this further. 

Acknowledgments: Murali Narasimha would like to thank S. Arun-Kumar and 

E. Kaltofen for several helpful discussions on this topic. 
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Abstract. We study the use of the 7r-calculus for semantical descrip- 
tions of languages such as Concurrent Idealised ALGOL (CIA), combin- 
ing imperative, functional and concurrent features. We first present an 
operational semantics for CIA, given by SOS rules and a contextual form 
of behavioural equivalence; then a 7r-calculus semantics. As behavioural 
equivalence on 7r-calculus processes we choose the standard (weak early) 
bisimilarity. We compare the two semantics, demonstrating that there is a 
close operational correspondence between them and that the 7r-calculus 
semantics is sound. This allows for applying the 7r-calculus theory in 
proving behavioural properties of CIA phrases. We discuss laws and ex- 
amples which have served as benchmarks to various semantics, and a 
more complex example involving procedures of higher order. 



1 Introduction 

Reynolds formalised Idealised ALGOL (lA) as a simple imperative language en- 
riched with a procedural mechanism provided by a typed call-by-name X-calculus 
[ReySl]. lA combines in an elegant way imperative and functional features, and 
since its introduction has been the object of extensive study (cf. [OT97]). Con- 
eurrent Idealised ALGOL (CIA) was introduced by Brookes as an extension of lA 
with shared variable parallelism [Bro96]. CIA allows parallel composition of com- 
mands and features an await operator for imposing atomicity. Brookes [Bro96] 
has presented an elegant denotational model for CIA, extending a Kripke-style 
Possible Wbrlds semantics. From a semantical point of view, CIA is a challenging 
language, since it combines imperative, functional and concurrent features, and 
possesses an atomicity construct. 

In this paper we study semantics of CIA given by a translation into the TT- 
calculus. The main reasons for using the TT-calculus are the following. It offers a 
well-developed theory that we wish to exploit, through the translation, to reason 
on CIA terms. \¥e also intend to profit from the TT-calculus being, syntactically, 
a first-order language, i.e., values only consist of names (in typed versions, there 
may also be basic values such as integers and booleans). In contrast, CIA is 
higher-order, thus values may be arbitrary terms. In higher-order languages, 
defining satisfactory notions of behavioural equivalences — not to mention proof 
techniques for them — may be hard. Proofs of process equivalences are compli- 
cated by universal quantifications over terms. Further, it is in general hard to es- 
tablish that a notion of bisimilarity is a congruence. (For higher-order languages, 
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this is usually proved using Howe’s technique [How96]; attempts to extend this 
technique to languages with local state, however, have been unsuccessful so far; 
see discussions in [FHJ95].) A further advantage of the tr-calculus semantics is 
that, as states are represented by processes, no snapback effects (reversibility 
of state changes, cf. [AM96,AM97,OT97]) can occur; models representing states 
by functions — usually denotational models do so — suffer from snapback effects, 
which are usually removed by means of logical relations [OT97] . 

Our study is also motivated by the question of how appropriate the 7r-calculus 
is for giving semantics to languages such as CIA. Previous work gives evidence 
that the 7r-calculus can model references, functions and various forms of (non 
atomic) parallelism [Wal95,Jon93,KS98,Mil92], but so far only limited forms of 
combinations of these have been considered. In the case of imperative languages, 
little effort has been spent in comparing 7r-calculus to operational semantics, and 
in using 7r-calculus translations for proving properties of the source languages. 
Denotational approaches indicate a strong similarity between local names in the 
TT-calculus and local references in imperative languages; note that the mathe- 
matical techniques employed in modelling the 7r-calculus [Sta96,FMS96] were 
originally developed for the semantic description of local references. Yet names 
and references behave rather differently: receiving from a channel is destructive — 
it consumes a value — whereas reading from a reference is not; a reference has a 
unique location, whereas a channel may be used by several processes for both 
reading and writing; etc. Hence it is unclear if and how interesting properties of 
imperative languages can be proved via a translation into the 7r-calculus. 
Section 2 briefly introduces an SOS-style operational semantics for CIA along 
with a contextual form of behavioural equivalence. Then a 7r-calculus semantics 
is presented, together with soundness results for the encoding (Sections 3 and 4). 
The main part of this paper is devoted to the discussion of concrete examples 
(Section 5). We prove laws and examples from [MS88,Bro96,MT90a,MT90b], as 
well as a more complex example involving procedures of higher order, namely the 
equivalence between two CIA descriptions of two-places buffers (n-place buffers 
could be dealt with similarly). Then we show that our semantics is not fully ab- 
stract (Section 6). We present equivalent CIA phrases, the translations of which 
are not bisimilar. We show how to handle these examples using types, especially 
I/O-types. It is unclear whether the type systems we propose already yield full 
abstraction (we conjecture they do not). Yet introducing more and more so- 
phisticated types deteriorates the applicability to concrete proofs. However, our 
experiments have led us to the conclusion that in most cases I/O types suffice. 

2 Concurrent Idealised ALGOL 

Syntax, typing and notations for CIA closely follow [Rey81,Bro96]. Data types 
consist of integers and booleans; phrase types are constructible from variables, 
expressions and commands using arrow type (for simplicity we omit tupling): 

r ::= int | bool Data Types 

a ::= var[r] | exp[r] | comm | (a ^ a') Phrase Types 
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Data and variable types are lifted up to expression types via the rules 



r \- V : T 
r \- V : exp[r] 



and 



F h t : varfrl 
r \- U : exp[r] ' 



Variables can be declared on data types only, whereas procedure definition, recur- 
sion and conditional are uniformly applicable to all phrase types. An environment 
F is a partial function from identifiers to types, with domain dom(F). 

The syntax is defined according to [Bro96]. However, for defining behavioural 
equivalences we find it convenient to have explicit constructs for input (on vari- 
ables) and output (of expressions) ; alternatively, we could have allowed the ob- 
server direct access to the variables (we shall come back to this in Section 7). 
Further we allow for the use of conditionals in the body of await statements. 
The body of an await statement therefore consists of assignments, sequential 
composition and conditionals. Syntax and typing rules are presented in Table 1 
at the end of this paper. 

We define an SOS-style operational semantics of CIA, using small-step transi- 
tion rules (as opposed to a big-step or natural semantics) in order to capture the 
nondeterministic behaviour resulting from the interaction of phrases via shared 
variables. The rules are quite standard, with the exception of those needed for 
modelling the atomicity required by await. Let P and P' be phrases of variable, 
expression or command type which do not contain free identifiers; a and a' are 
assignments closing up on all free variables of P and P'. We call a pair (F, tx) 
a configuration, and, if F is a command, we call it a command configuration. In 
the sublanguage without await (CIA-{await}), the SOS rules are of the form 



{P,a) 



{P',a'), {P,a)^{P',a'), {P,a) 



V. 



where out(u) is the output of value v, in(u) the input of value u; r is an invisible 
(internal) action; and the tick y/ denotes termination. If P is an expression, the 
tick carries the value resulting from its evaluation. 

The command await guarantees for an atomic execution of a sequential compo- 
sition of assignments and conditionals once its guard has been evaluated to true 
(an evaluation to false results in a repetition after some period of busy- waiting). 
During the evaluation of the guard and the execution of the body of an await 
statement, any other computation has to be stopped. We achieve this by in- 
troducing locked configurations {P,a)i. The tag i represents a lock. Whenever 
an await statement is executed, the configuration is marked with the lock i, 
and all but the await component are prevented from running (this component 
is marked itself so to be distinguishable from its context). The lock is released 
either if the guarding boolean expression has been evaluated to false, or other- 
wise after the command has been completed. The rules for locked configurations 
are of the form {P,a)i {P' ,a')i; further there are rules for introducing and 
eliminating the lock from the configurations. Relation is the reflexive and 
transitive closure of — and is given by (arbitrarily many in- 

visible steps before and after the [i transition). 

Behavioural equality is defined in two steps: We first apply the (standard) defi- 
nition of bisimilarity in value-passing process calculi to CIA command configu- 
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rations (Definition 1); then, by closing it under all (closing) contexts, we obtain 
an observational congruence applicable to all phrase types (Definition 2). 

Definition 1 (Configuration bisimulation). A binary relation Tl upon com- 
mand configurations is a configuration bisimulation if it is symmetric, and E1KE2 
implies, 

1. if El ^4- (Ti then there is <T 2 s.t. E 2 (T 2 , 

2. if El E[ then there is E'^ s.t. E 2 E'^ and E[KE' 2 , 

3. if El E'l and fx is an output or an input, then there is E '2 s.t. E 2 E '2 
and E[nE!2. 

We write Ei Ri E 2 if there is a configuration bisimulation TZ with EiTZE 2 - 

We say that a context Con is closed wrt. a phrase F if 0 h Con[P] : comm (i.e., 
Con[P] does not contain free identifiers nor variables). 

Definition 2 (Observational congruence). Let Pi, P2 be arbitrary phrases. 
Then Pi and P2 are obscrvationally congruent, written Pi P2, if for every 
context Con which is closed wrt. Pi and P2, ((7o?r[Fi],0) Ri {Con[P2],^)- 

Observational congruence is the notion of behavioural equality on CIA phrases 
we are interested in. It is however hard to prove equalities following its definition, 
due to the universal quantification over the contexts. 

We conclude the section with a useful fact about locked configurations. The 
behaviour of an await statement is deterministic, both due to the absence of 
parallel composition within its body and the incapability of expressions to change 
a given assignment. 

Lemma 1 . {C,a)i — ^ {C ,a')^ with ( £ {£,e} implies {C,a)i k, {C',a')^. 

Corollary 1 . For every configuration {C,a)i the following holds: Either it di- 
verges (i.e., there is an infinite computation of silent steps starting from {C,a)i) 
or there is another configuration (C',a') .such that {C,a)i (C',a') and 
{C,a)e^{C',a'). 

3 The TT-calculus 

We translate CIA into a 7r-calculus language supplied with a simple type system. 
This type system provides integer, boolean, product and channel types; we omit 
the typing rules which are quite standard, assuming that all processes and ex- 
pressions we write are well-typed. Channels are used to transmit values; they are 

ranged over by a,b,. . .; variables are ranged over by x,y, Together, channels 

and variables constitute the names, p,q, — Integer and boolean constants are 

denoted by n,m, Channels and constants are the values, ranged over by v. 

0 denotes basic operators like addition, subtraction, complement, etc. 

e ■.■.= V \ X \ 0e|e0e Expressions 

7T ::= p{e) \ p{y) \ t Prefix 

F ::= 0 I 7T.F | R+B, \ F|F | (np)R \ [x = n]R \ [x n]R \ \p{y).P Processes. 
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A process is closed if it does not contain free variables. Otherwise it is open. For 
the semantics of the 7r-calculus we adopt a labelled transition system. In contrast 
to reduction semantics [Mil91] , this allows us to use labelled forms of bisimulation 
and to use the associated proof techniques [MS92]. Process transitions (in the 
early style) are of the form P P' , where [i is given by 

pt ::= {ub)a{v) \ a{v) \ r. 

{v b)a{v) denotes the output of the values v on the name a, where b are those 
channels among the names of v which are private to the sender process; a{v) is 
the input of values v over the channel o; finally, r represents an internal action. 
We use the standard SOS rules of the 7r-calculus. As in typed 7r-calculi (such 
as in [Wal95]), there are rules for evaluating an expression to a value, so to be 

able to infer transitions like o(2 + S).P P. Weak transitions can be obtained 
by adding arbitrarily many silent steps before and after a strong transition. We 
write for the reflexive and transitive closure of adopting the standard 
convention that f — e, and fi — p for all visible labels p. 

Bisimilarity is defined in the usual way (cf. for instance [MPW89]): 

Definition 3 (Early bisimnlation) . A binary relation TZ upon closed pro- 
cesses is a (weak early) bisimulation if it is symmetric, and RRS implies 

if R R' then there is S' s.t. S S' and R'TZS'. 

Two processes R and S are (weakly early) bisimilar, written R S, if there is 
a (weak early) bisimulation TZ with RKS. 

The definition extends to open processes by closing over all substitutions. In the 
case of channel variables, however, one can often establish syntactic conditions 
to avoid the substitution of all channels for a variable, but simply substitute 
one fresh channel for the variable instead [San95a]. This also holds for those 
processes which we obtain by translating CIA, in Section 4 (we shall not discuss 
this further in this extended abstract). Also, even though early bisimilarity is not 
preserved by arbitrary summation, it is preserved by guarded summation, which 
suffices in our case. The bisimulation proof technique can be made more powerful 
by combining it with up-to techniques, like “up to expansion” and “up to injec- 
tive substitutions” [Mil89,MS92,San95b] (expansion is an asymmetric variant of 
bisimulation taking into account the number of internal steps performed by the 
processes [AKH92]). 

4 Interpreting CIA in the 7r-calculus 

The TT-calculus interpretation of CIA is given by the rules in Tables 2 and 3 at 
the end of this paper. The storage is modelled by registers of the form (in the 
TT-calculus, recursive process definitions are derivable from replication [Mil91]) 
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def 

Processes in the scope of fn^ = {get^,putj are allowed to read and modify the 
content of Reg^. Configurations {C,a), with r{a) = translate to 

[(C; o-)Ip , . . . , )( JJ Reg^ Jcr(ti)] | IC\). 



CIA-{await} 

A TT-calculus interpretation of CIA necessitates certain care even in the absence 
of await, due to the language combining imperative features with higher order. 
We translate all phrases P into parameterised processes [R]p; the fresh name 
p is used to signal the termination of the execution of [R]p. The sequential 
composition of two commands, for instance, is written as 

First only \Ci\^ is able to execute because of name q guarding [C' 2 ]p- As soon 
as [Ci]^ terminates, it signals so on q thus releasing [C 2 ]p. Yet another example 
of sequentiality are declarations, 

[new [r] i ■.= E m C% {yq){lE\ \ g(x).(;/fiiO(Reg^[a;] | [Clp)). 

Here parameter q does not only guard [C]p, but is also used to transmit the 
result of the evaluation of to register Reg^. Suppose £1 is a value v, then 

[new [r] t := v in {yq){q{v).Q \ g(a;).(i/fiiJ(RegJa;] | [(71^)) 

(r/fiiO(Reg,[v]| [Pip), 

where is an application of some simple 7r-calculus laws (precisely the law 
{v q)(jq{v).R\q{x).S) {v q){R | S{v/x}) and the garbage-collection law {vq)R 
R if g is not free in R). Identifiers are modelled by processes sending along 
a specified channel which is used to invoke a copy of the argument they repre- 
sent. Both procedural arguments and recursion are translated using replication, 
so fresh copies are available at every call (recall that CIA is a call-by-name 
language). For instance, if F is a free identifier, called xp in the 7r-calculus 
translation, then 

[new [int] t := 1 in P(!t)lp 

W,r(i^fnO(RegJl] I {i'q)(^p{q).Q\q{v) . (p x)(v{x.,p} .\xir).get,(z).r{z).0))) . 

Declaration Invoking a copy Communicating Procedural 
of procedure P argument and argument 
termination 
signal 

There is a close operational correspondence between configurations (F, a) and 
their encodings |(F, o-)]^. For the proof that the interpretation is sound, com- 
mand configurations {C,a} are of particular interest (recall that ps is defined 
exactly upon these). Using for the expansion relation (cf. Section 3), we give 
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some of the correspondences (the others are similar) : 

(C, 0-) ^ implies [(C, ct)\ (p.O)'"' ; 

- KG', a-)]p R implies _R 0 and {C,a} <j'\ 

^ (C,a) (C",a') implies ^ W 

- [(G, a)]p R implies either R [(G",a-')]p such that (G, a) (C ,a'), 

OUt(ti> OUt(i>> 

or |(G, a)]p sSt R - > I(G',a-')]p such that (G, a) - > (G',a'). 

The operational correspondence relates every possible transition of a configura- 
tion and of its encoding. A similar operational correspondence result holds for 
weak transitions. Exploiting the congruence properties of the composition- 
ality of the encoding, and the operational correspondence results, we can prove 
that the encoding is sound. In the proof we also make use of an auxiliary encod- 
ing C which yields an even closer operational correspondence with CIA, and is 
obtained from C by removing some “administrative” silent steps. 

Let be the observational congruence on CIA-{await} defined analogously 
to Rioc on full CIA. 

Theorem 1 (Soundness). [Ti]p implies Pi P 2 for arbitrary 

C/A -{await} phrases Pi and P 2 . 

The converse (completeness) holds in the case of closed commands, but does not 
extend to arbitrary phrases, as we shall discuss in Section 6. 

Full CIA 

The encoding |.]^ of phrases in full CIA follows the same compositional scheme 
as for CIA-jawait}, for instance 

What is different wrt. the encoding [.] is the use of a lock to impose mutual 
exclusion on input, output, reading from and writing to a variable, and on await. 
Before any of these commands can be executed, the lock has to be acquired; it 
is released upon their termination. The lock is implemented by a process 1.0. 
At any time at most one copy of the lock is available to the whole program. 
Acquiring the lock and continuing as R is modelled by i.R (the input “requires” 
the lock) ; releasing the lock and continuing as i? is translated by 1.0 1 i? (a new 
copy of the lock is released). Reading from a variable, for instance, now becomes: 

P-Ip |g(</f,pt).^.#(x).(^ |p(a;)-0)) 

Take lock Release lock 

The command await is translated following a busy- wait strategy (cf. Table 3). 
In fact, its encoding is similar to that of the while loop (modulo the lock, cf. 
Table 2), only that a and p change their roles in the bodies of the conditionals. 
Our previous example translates to 

[new [int] t := 1 in F(!t)]p 

(i/fiiO(RegJl] I inq){xp{q}.0\qiv).inx)iv{x,p).lxir).lgetXz).ie.0\r{z).0)))). 
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The differing compilation rules are given in Table 3. The results of operational 
correspondence and soundness are similar to those in CIA-{await} except that 
now the tr-calculus terms contain a lock t. So, instead of |F]p we now work with 

processes of the form {v (){(..(} \ [F]p). (In the operational correspondence, the 
configurations themselves are not locked, as Corollary 1 allows us to abstract 
from those being locked.) 

Theorem 2 (Soundness), {v [Fi]p) {v \ [Fijp) implies Pi pSqc 
P 2 for arbitrary CIA phrases P\ and Pi- 

The following result relates the two translations, [.] and |.]^, which allows us to 
use the simpler encoding in the absence of await. 

Theorem 3. [Pij^ Pi,, {P^jp implies (i(€)(l.0| [Fi]^) Pi„ (i^l)(I.O | [Fi]^), and 
thus Pi ~oc P-z, for arbitrary CF4 -{await} phrases Pi and Pz- 

5 Examples of reasoning 

Considering benchmark laws and examples from [MS88,Bro96,MT90a,MT90b], 
we demonstrate that the 7r-calculus semantics yields simple proofs of these well- 
known equalities. Further we show by a more complex example how to tackle 
procedures of higher order. 

♦ Basic properties of CIA operators, such as associativity of sequential compo- 
sition, or associativity and commutativity of parallel composition, are straight- 
forward consequences of analogous 7r-calculus laws (like associativity and com- 
mutativity of parallel composition in the 7r-calculus). 

♦ Suppose that t does not occur free in F', and consider the following laws: 

(LI) new [r] t := v in F' = P' 

(L2) new [r] 1, := v in. (F; F') = (new [r] 1, := v in F); F' 

(L3) new [r] i := v in (F'; F) = F'; (new [r] i := v in F) 

(L4) new [r] 1, := v in (F || F') = (new [r] 1, := v in P) || F'. 

The TT-calculus proofs of these laws are all similar, and purely algebraic. As an ex- 

def 

ample, we present the proof of L2; recall from Section 4 that fn, = {get^, put^}: 

[new[r]t: = v in (F; F')]p (i^fnd(R.egJv] | (i^g)([F]_^ | q-lP%)) (1) 

(«.g)((r.fn,)(Reg,H | (MJ g.[F'Ip))) (2) 
('^<?)((*^fnO(R-egJa] j [F]^) | <?-[F%) (3) 

Knew [r] t := v in F); F')]p. 

Line (1) contains the encoding with v already written to Reg^; in Section 4 we 
have shown that this process is bisimilar to the original encoding. In (2) the 
restriction on q is moved to an outer level, and in (3) the restriction on fn, is 
removed from [F'J^. 

♦ The proof of the law (X(x : $). P)P' — F{F'/x} (validity of /3-reduction) is an 
extension of the proof of the validity of /^-reduction in the 7r-calculus encoding 
of the call- by- name A-calculus [Mil92]; it uses distributivity properties of private 
replications, and structural induction (in this induction, there are more cases to 
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consider wrt. the proof of the call-by-name A-calculus, but the structure of the 
proof is similar). 

♦ The law new [int] t := 1 in F(!t) = F(l) (where F is a free identifier of 
appropriate type) is proved algebraically: 

[new [int] t := 1 in F(!t)]p 

(r/fntXRegJl] | {i'q){xp{q).()\q{v).{i'x){vix.,p).lx{r).getXz).Hz).0))) 
('^9)(«e(9)-0 I q{v).{i'x){V{x.j:}.{pin,){Reg^[l] | lx{r).getXz).r{z).0))) 
(jz q) ( xp (g) .0 I q(v). {u x) (v(®, p) . !a: (r) ,f (1 ) .0) ) 

♦ Suppose again that F is a free identifier of appropriate type. Proving the law 

new [int] t := 0 in F(t :=!t -|- 1) = F(skip) 

essentially consists in showing that for arbitrary non-negative integer values v, 

(;/fnO(RegXv] | !»(r).[t :=!n- ly !»(r).[skip|^, 

where x denotes the formal parameter of F (owing to F being a free identifier, 
name x is provided by the observer). 

♦ A simple 7r-calculus bisimulation relation can be used to prove that iteration 
is expressible via recursion, i.e., if x is not free in B and C then 

while B do C — reca:. if B then (C; x) else skip. 

♦ In our last, more substantial, example we show that two implementations 
of a two-place buffer are equivalent (the example can be generalised to n-place 
buffers) . For simplicity we assume that all buffers store integer values. The exam- 
ple involves both procedures of higher order and the await statement. Procedure 
B below defines a one-place buffer; Xp represents the clients, a value stored 
by a client, and Xr is a client location, where a value retrieved from the buffer 
is to be stored. We use sugared notation for the declarations and conditionals. 

B A(a:p : 9c) ■ new [baol] fl := S, ct := 0 in 

{xffX(x„ : int). await (Ifl = ff) then {ct := x„; fl ■= tt))) / * put */ 

(A(a:r : var[inf|). await {Ifl = tt) then {xr :=lct; fl := ff)). / * get */ 

Analogously one can define buffers with two, or even more, places. Buffer Bi 
below, e.g., is a two-place buffer. It possesses local variables cti and cfe, for 
storing values, and a counter ib to indicate how many values are currently stored. 

def 

Bi = A(a:p : 9c). new [infj ib := 0, cti := 0, cfe := 0 in 
{xjIX{x„ : int). await {lib < 1) then 

(if {lib = 0) then cti := x,-,. else cti ■= Xn)\ 
ib :=lib -t 1)) 

(A(a:r : var[inf|). await {lib > 1) then 
Xr :=lctv, 

if {lib = 2) then cti :=!cfe; 
ib:=lib-l)). 

fi-place buffers defined like Bi are single monolithic terms. Yet we can also define 
fi-place buffers in a modular way, by connecting n one-place buffers. In this case. 
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however, it is necessary to distinguish the first n-1 buffers from the last, which 
acts as a barrier buffer. For the barrier buffer, we take the term B from above; 
the head buffers HB are defined as follows: 

def 

HB = A(a;p : 9c)- X{xpt : int ^ comm). \{xgt : var[int] ^ comm), 
new [baotl flij^ := ff, [int] cth := 0 in 

{xp{X{xn : int). await {~<\flh) then {cth ■= flu ■= **))) 

Xgt 

II reca;. (if {^-flh) then {xpi:{lcth); flh ■= ff; ^) else x) 

Again, Xp represents the clients; Xpt and Xgt represent the put and get procedures 
of the server buffer which HB is connected to. The arguments for the clients Xp 
are a put procedure defined in HB itself, and the get procedure of the server 
buffer. The boolean variable flp indicates whether HB is full (in which case a 
value is currently stored in cth). Whenever HB is full, it attempts to transmit 
its content to the server buffer, using the put procedure of the server. We can 
then define a 2-place buffer by 

B2 =‘’a(xp :6'c).B(HBxp). 

For proving that Bi and B 2 are observationally congruent, i.e., Bi B 2 , we 
translate them into the 7r-calculus so to be able to exploit the proof techniques 
developed for it. First, however, applying the previously validated CIA law for 
/^-reduction (FI) we infer B 2 ^ 2 ) where 

B2'=^A(a;p : 0c). new [boollfl := ff, fl^^ := ff, [int] ct := 0, cth ■= 0 in 
{xplX{xn ■ int). await {^Ifli^) then (cth ■= x„', flh •= **))) 

{X{xr ■ var[int]). await (Ifl) then {xr :=!ct; fl := ff)) 

II reca;. (if Q.flh) then ((await {^Ifl) then (ct -. = \cth\ fl ■= tt)); flf^ := ff); x). 

It remains to show that Bi B.^. Let and be the bodies of the 

procedures Bi and B.^; they are obtained by stripping off the leading A. It suffices 
to prove, by “bisimulation up to expansion” (cf. Section 3), that the encodings 
of and are bisimilar. Due to the presence of await we have to use 

locks, hence the encoding |.J^, and, as required by Theorem 2, close the encoding 
processes under the lock £. Roughly, the bisimulation up to expansion K which 
we use for the proof is of the following form (we omit those processes resulting 
from calls from clients that have not been served immediately): 

n {((^£)(£.0 I (^£)(£.0 1 [B^"!^)), empty buffers 

((i/£)(£.0 I [Bj°'^y(v)l‘ ), (i/£)(£.0 I [B^°'^y(v)l^)), one value stored 

((i/£)(£.0| [BS’°'^y(«,w)l‘), (i/£)(£.0| [B^°'^y(«,w)l^)) two values stored 
I w : int}, 

where (informally) B^“‘^^(u) (resp. B^“‘^^(u,«;)) is like but with a value v 

(resp. values v,w) stored in it; similarly for B 2 “‘^^(u) (resp. B 2 “‘^^(u, w)). 
Consider for instance the first pair of the relation; here the buffers are empty, 
i.e., lib = 0 in and Ifl =lflh = ff in In that state the values of 

cti, ch, ct and cth do not matter, as they cannot be read. With corresponding 
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sequences of transitions, s, the buffers accept a value v from their client and, 
after storing it, signal the termination of that activity, thus 

^ (t^eKe.QmX^ivX)- 

Precisely s is a sequence of visible actions consisting of: the client requesting 
that a value be stored (xpt{r}, where r will be used to signal the termination, see 
below); the buffers asking for a value (action (v g)x„(g), where is a previously 
agreed channel to be used for invoking get, and g is a newly created one); the 
client providing a value (action q{v})', and, finally, the buffer signalling that v 
has been stored (action r) . During this execution, the buffers hold the lock; it is 
released at the same time the client is informed of the termination. 

Now lib = 1 in and Ifl = tt in value v is assigned to cti and ct, 

respectively. We can assume this, despite first storing v in cth, as 

(y„ denotes expansion as introduced in Section 3). Note that this application 
of the “up to” techniques is vital to the proof of the example (otherwise the 
relation would yield an extremely large number of pairs). 

We do not know how to prove this or the previous examples directly in the op- 
erational semantics of ALGOL without going through a universal quantification 
over contexts (recall the problems with reasoning directly within the ALGOL 
semantics, discussed in the Introduction). 

6 Refinements 

For certain open CIA phrases, the ordinary 7r-calculus (weak early) bisimilarity 
turns out to be too discriminating, i.e., there exist observationally congruent 
CIA phrases whose translations into the 7r-calculus yield processes which are 
not bisimilar. Refining types, however, makes behavioural equivalences coarser 
(more process equivalences can be established), simply because the number of 
well-typed observers decreases. 

In CIA, reading from a global variable does not influence the overall behaviour 
of a term as long as the value is not used in future interactions. This is not 
captured by the usual 7r-calculus bisimilarity, where all visible actions are treated 
identically. As a consequence, the equality (where k is an integer variable) 

new [int] t := 0 in (t :=!« || output 5) = output 5, (1) 

which is operationally true in CIA, does not yield bisimilar 7r-calculus encodings; 
only the translation of the left-hand term may perform a get,, transition. 

To overcome this problem, we have adopted two measures. If A and B are 
open CIA phrases with free variables {xj}*, then instead of requiring that [AJ 
and [2?] be bisimilar, we demand bisimilarity between J|Reg^[(j(aTj)] | [A] and 
[|Reg^ [(7(xj)] I [R] (notice that in contrast to Section 4 the registers are not 
made local by a restriction), where <t is a function mapping all xi's to some 
fixed initial value, e.g., 0 and “false”. (Using some fixed initial value is possible 
because, intuitively, both program and observer have unlimited access to regis- 
ters.) To ensure that — apart from input and output — communication between 
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program and observer is only possible via these registers, we use a type system 
distinguishing between the capabilities of using a channel in input and output 
(I/O types, cf. [PS93,BS98]). So, if r is a free register, we can assign an external 
observer only the input capability on get^ and the output capability on put^. 
The corresponding equivalence on 7r-calculus processes, for which soundness the- 
orems similar to Theorems 1 and 2 hold, is closer to the observational congruence 
in CIA than the ordinary bisimilarity; it allows us to prove (1), as well as, e.g., 

while tt do (t := 0 ; t := 1) = while tt do (t := 1 ; t := 0). 

Again, this equality is valid in CIA but not in the 7r-calculus applying its ordi- 
nary bisimilarity. 

Yet full abstraction is not gained by introducing I/O types. Consider the follow- 
ing example, where F is a free identifier: 

new [intj t := 0 in new [inti t := 0 in 

Pi})-, _ ^ Pi<-); 

if (!t = 0) then skip if (!t = 0) then (if (!t= 1) then diverge else skip) 

else diverge else diverge. 

This example hinges on the unlimited access the observer has on fn^, in the 
TT-calculus, once t has been exported by calling P: Suppose the phrases have 
been signalled the termination of P, and t is assigned a 0. One would naturally 
conclude that both phrases should terminate. Yet, the access the observer has 
gained on i. at the time F was called, does not cease with the termination of the 
procedure (recall that in the 7r-calculus encoding, F is a free identifier) . Hence, 
the observer can write on i, even after having signalled the termination of F. 
Now, suppose the variable has already positively been tested for 0. In this case 
the left-hand phrase is bound to terminate, whereas the right-hand one may still 
diverge (if the observer sets t to 1 before the second test). 

For validating this example, a refined typing would be necessary, which allows 
one to express linearity (the observer could use certain names only once) and 
sequentiality (the observer could use a given name only as long he/she does not 
use another given name) constraints on the use of names. Such a type system 
could also be used to force the observer to respect the atomicity of await state- 
ments (before accessing a register, the observer should grab the lock; and release 
it afterwards). This would allow us to validate equivalences like 

await tt then (« :=!« -I- 1; « :=!« -I- 1) = await tt then (« :=!« -I- 2). 

We see no technical difficulties in adopting such a type system, as we have done 
with the I/O types. Indeed, type systems for the tr-calculus of this kind already 
exist [Hon96,KPT96,Kob97]; bisimilarity-based equivalences for them, as well 
as related algebraic properties, can be given by developing those for I/O types. 
However, even this further type refinement might not yield completeness of the 
interpretation. Moreover, our experiments have led us to the conviction that the 
I/O types are usually sufficient for reasoning, and that further typing would just 
make concrete proofs too complex. 

7 Further results and discussion 

The approach presented in this paper is applicable to other languages with state. 
We have, e.g., modelled a variation of CIA by using call- by- value, instead of call- 
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by-name, and by extending variables to higher order (this implies that not only 
values but also references and commands are stored in the registers); some of 
these modifications have been made following the languages in [MT90a,MT90b]. 
During the execution of an await statement, only one thread of computation is 
active (cf. Section 2 and [Bro96]), yielding a purely sequential behaviour. The 
degree of parallelism in the presence of an active (i.e., currently running) await 
statement can be increased by, e.g., a simultaneous execution of phrases which 
do not access variables affected by the await statement. This can be modelled, 
in the SOS semantics, by locks carrying along information about the concerned 
variables; in the 7r-calculus semantics, multiple locks can be introduced. The 
necessary information on the access to variables can be gained by some simple 
preliminary static analysis. Of course, such an increase in parallelism changes the 
overall semantics; nevertheless there are behavioural correspondences between 
the more sequential and the more parallel version: First, if two phrases are bisim- 
ilar in the more parallel version, then they are also bisimilar in the sequential one 
(cutting off branches from the transition systems). Second, a phrase may yield a 
divergent computation (transition trace) in the sequential semantics if and only 
if it does so in the parallel one (transitions occurring interleaved in the parallel 
semantics are causally independent, so they can be interchanged resulting in a 
computation of the sequential semantics). We have proved both these results by 
reasoning on the 7r-calculus translations. 

We have considered as closed only such programs that do not possess open iden- 
tifiers nor variables, using explicit input and output constructs An alternative 
approach is to provide the observer with direct access to the global variables: 

readt (v) 

{P,(t) > {P,(t) if T(t) = var[r] and a{e) = v, 

write Av) 

{P^a) > {P,a{i ^ v}} if F(c) = var[r]. 

To obtain operational correspondence and soundness (cf. Section 4), the transla- 
tion into the 7r-calculus would have to take into account I/O types (cf. Section 6). 
Semantics given to lA and CIA by O’Hearn and Tennent [OT95], Pitts [Pit96] 
and Brookes [Bro96], make use of relational parametricity. Comparing proofs 
conducted in these theories, with bisimulation-based proofs carried out in the 
TT-calculus might clarify the relationship between these two notions. 
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r h w : r 



i t : var[rj 






P\- El ■. expfrl P\- E 2 . expfrl ^ 

n TP n — 0 : T X T ^ T 

1 h El ® E -2 : exp[rj 

P h skip : comm 



r \- E : exp[r] 

P h output E : comm 

P \- I, : var[r] 

P h input t : comm 



P \- V : var[r] P \~ E : exp[r^ 



TTT 



~ET 



P \- Cl : comm P \- C 2 ■ comm 
P \- Cl] C 2 ■ comm 

r h : comm P \~ C 2 ■ comm 
r h Cl II C 2 : comm 
P\- B ■. exp[6ooI] r h Pi : 6> r h Pa : 6> 
P \- if B then Pi else P 2 : 9 

P \- B : exp[6oo?] P \- C : comm 
P h while B do C : comm 



P \- B : exp[6ool] P \- C : comm 
P h await B then C : comm 



C seq. comp, of ass., cond. 



P \- E ■. exp[r] P, h : var[r] l~ C : comm 
P h new [r]t := E in C : comm 

P \- X :9 when P{x) = 9 



P,x : 9 'r P: 9 
r h recx.P : 9 

P,x : 9 P : 9' 

P^ Xix: 9).P : {9 H- 9') 

P 'r Pi ■. {9 ^ 9') PhP2:9 
P PliPl) : 9' 



Table 1: Syntax and typing of CIA 
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Wp = p(gett,putj.0 

Wp 

I'Hp (i' 9 )(lV]J q(gt,pt).gt(x).p(x).0) 
lEi 0 E 2 % ii'q, r)ilEil^ \ IE 2 I, | qix).r(y).p{x 0 y).0) 
lskipl/£p.O ^ 

[output ’W it 2 q)ilEl\q{x).-^ix}.p.O) 

[input t]p = in(a;).put^(a;).p.O 

IV ■■= -Ejp {i'q,r)ill% I lE}^^ I q{gt,pt).r{x).pi{x).p.O) 

lCv,C2l =' it' q)mi\q.lC2l,) 

[Cl II C^Ip (t'q^riim^ I [C^y g.r.p.O) 

[if B then Pi else it'q)ilB% \ qix).{[x = tt] [PJ^ | [» = ff| M^)) 

[while B do CIp («.«)(!«. (t'qKm^ I g(x) . Cx = tt] («^r)([CI, | r.«.0) | 

[» = fF|p.O))|a.O) 

[new [r] t := P in CJ^ (yq)ilEl^ \ g(x).(;/fnO(RegJa;] | [C]p)) 

Ixl x{p).0 

Irecx.Plp ii'x)(lx(r).lP% |»(p).0) 

[A(a; : 9). Pip =*' ir'v)(p{v).v(x,q).lPlg) 

IP 1 P 2 I, {vq)ilP,\\qiv).{vx){v{x,p)lx{r)lP 2 i;)) 

Table 2: Encoding CIA-{await} in the tr-calculus 



[A-lp ivq)(l^%\qia^^,pt)-tgt{x).(tQ\p{x).Q)) 

[output Pl« iyq)ilEl[\qix)I:^{x).itQ\m) 

[input lin(a;).(£.0|l.^j(a;).(£.0|p.0)) 

[F := Pl^ it'q,r)ml \ [P]^ | qigt,pt).rix)IpHx).ie.O\p.O)) 

[await B then C]^ («.«)(!«. {t'qWm, I q(x)- = «] («^r)([CI, | r. (£.0 | p.O)) | 

[» = ff] (£.0 1 a.O))) I a.O) 

Table 3: Encoding Full CIA in the tr-calculus — Modifications to Table 2 
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